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Corporate security news 




Defend Windows web servers with ThreatSentry 3.0 
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ThreatSentry 3.0 is a Host Intrusion Prevention System (HIPS) specifically 
designed to address internal and external unauthorized system access and 
cyber-criminal threats on Web servers utilizing Microsoft Internet Information 
Services (IIS). Since its introduction, IIS has grown in popularity and ranks as 
one of the most widely used platforms for enabling simple to sophisticated 
Web sites and Web-based applications. While it is well-regarded for its ease 
of use and range of features, it is frequently targeted by hackers due to a va- 
riety of US-related vulnerabilities and the inherently open nature of many 
Web applications - many of which manage sensitive information such as 
credit card numbers, passwords, or other private information. ThreatSentry pricing starts at $399 
per server. For more information visit hwww.privacyware.com 




AirDefense Mobile 4.0 released 



AirDefense 7 ' 



AirDefense announced the release of AirDefense Mobile 4.0, the 
newest version of the company's security and wireless network 
assessment tool. Mobile 4.0 includes a new analysis engine, 
which is built on the award-winning, patented technology used in 

the company's flagship product, AirDefense Enterprise. The analysis engine provides network 
administrators with more than 100 security and performance-based alarms, along with other new 
features such as alarm notification via email or Syslog messaging. AirDefense Mobile runs on any 
Windows 2000 or XP platform, and installs on any laptop with an Atheros-based 802.11 a/b/g 
wireless card, such as Netgear (WAG511) or Cisco (CB21AG). For more information visit 
www.airdefense.net 
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SECUDE releases Secure notebook 7.2 




SECUDE secure notebook reliably protects notebooks, desktops and 
external mass storage devices from unauthorised access. Unlike 
other solutions it encrypts the entire hard disk rather than just indi- 
vidual files or folders, which means it protects temporary files, swap 
files and even the operating system itself. 

A new feature with version 7.2 is the encryption of hibernation files 
(the files that a notebook creates just before entering hibernation mode); eliminating the possibil- 
ity of attack by this route and guaranteeing full protection in all circumstances. 

This version also offers a Plug-In for BartPE; the Windows recovery system that boots and runs 
from CD. It supports the creation of an emergency recovery disk (ERD), which can be used to 
secure data for emergency cases, preventing loss; as well as getting the notebook running after a 
system crash. More information is available at www.secude.com 



Anti-keylogger plugin for Microsoft Internet Explorer released 



A browser plugin named KeyScrambler was recently released by 
Florida startup QFX Software. The Personal edition is free for 
download at the company's website and it protects all logins 
against keyloggers. 

The new anti-keylogging tool is an invaluable addition to the IE 
users' security as it protects all login pages and it does so by 
encrypting the user's keystrokes at the kernel driver level, before 
keyloggers can record them. Download the trial from 
www. qf xsof tware . co m 
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AirPcap USB 2.0 WLAN packet capture device available 
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CACE Technologies announced the release of AirPcap 
USB 2.0 WLAN packet capture device for Windows. The 
device enables troubleshooting tools like Wireshark and 
WinDump to provide information about the wireless proto- 
cols and radio signals. 



The AirPcap adapter, together with the Wireshark Network 
Analyzer, gives you a detailed view on the 802.11 traffic, 
including control frames (ACK, RTS, CTS), management 
frames (Beacon, Probe requests and responses, 
Association/Disassociation, Authentication/Deauthentication) and data frames. The captured 
frames include the 802.11 Frame Check Sequence, and it's possible to capture frames with an 
invalid FCS to spot remote access points with a weak signal. For more information visit 
www. cacetech . co m 




« i :i a ji .■• Ji .-I -ji i: <W it 1J 11 -.. ..3 



www.insecuremag.com 



5 



r 



Sophos offers free rootkit detection and removal tool 



Sophos today announced the availability of a new free- 
of-charge, standalone tool offering comprehensive rootkit 
detection and removal capabilities. Sophos Anti-Rootkit 
complements Sophos Anti-Virus 6.0 and other vendors' 
anti-virus solutions by providing an additional layer of 
protection for the Windows NT/2000/XP/2003 operating 
systems. 
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Unlike other tools available, Sophos Anti-Rootkit warns if 
removal of a particular rootkit will impact upon the effi- 
ciency or integrity of the infected PC's operating system. 

This feature lets network administrators make an informed decision on how they want to proceed. 
Download the software from www.sophos.com/products/free-tools 



New Bue Coat applicances offer better performance 



Blue^Coat 



Blue Coat Systems announced it is releasing new appliance 
hardware models offering throughput performance increases of 
approximately two to three times higher than existing models. The 
new appliances run the same existing Blue Coat SGOS software 
for WAN optimization and Web security and control. A new add-in 
card for visibility control and acceleration of SSL traffic now features a chip that is certified to 
Federal Information Processing Standards (FIPS) 104-2. 

Performance increases in the new models are the result of faster CPUs, greater memory and 
overall system improvements. The models offer more memory capacity than comparable current 
models and many of them offer larger disk space with the option for even greater disk space. For 
more information visit Blue Coat Systems at www.bluecoat.com 
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BitDefender unveils next generation security products 

BitDefender announced the launch of version 10 of its line of solutions 
for consumers and small businesses. 

Employing BitDefender's new patent pending B-HAVE (Behavioral Heu- 
ristic Analyzer in Virtual Environments) technology version 10 of BitDe- 
fender's Internet Security Antivirus Plus, and Antivirus security solu- 
tions offer consumers and small to mid-sized businesses the industry's 
strongest heuristics-based technology for proactively monitoring and 
detecting today's most malicious viruses, spyware, spam and phishing 
activity. 

Additionally, all of the solutions will include an anti-rootkit module for 
detecting and removing rootkits. More information is available at 
www.bitdefender.com 
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Payment Card Industry demystified 

By Mkhacl Dahn 





Over the years the landscape of information security has changed from the 
need to implement perimeter protection to the concept of defense-in-depth 
and edge-security. Both of the latter concepts are a result of the changing 
landscape of fraud. In an effort to prevent fraud and reduce risk across the 
board, different industries have implemented their own set of compliance re- 
auirements. 



On the surface the PCI DSS looks very de- 
tailed, especially when compared with other 
standards such as HIPAA, GLBA, and SOX. 
Underneath the clearly outlined requirements 
and audit procedures is a lengthy list of com- 
pensating controls, third-party systems, out- 
sourcing, small data caveats, and that doesn't 
even break the surface of the individual re- 
quirements and their intent. As PCI begins to 
gain critical mass and more companies begin 
to comply there is a need for clarity of vision 
and understanding for each part of the stan- 
dard. 

This article begins to demystify the Payment 
Card Industry Data Security Standard; ex- 
plains the industry, its players, and how they 
relate; and explain the long list of nuances 
and differences in these definitions. 
Through detailed explanation the reader 
should have a much stronger understanding 



of the history, current landscape, risks, and 
best ways to mitigate those risks for your 
company or the companies you work with. 
This paper will not make you an expert on the 
payment card industry but it will give you a 
great start in beginning to understand the 
compliance process. 

A quick review of the headlines in 2005 dem- 
onstrates that organized crime is successfully 
compromising organizations of all kinds to 
gain access to credit and debit card data. It 
seemed like every week there was a new data 
compromise showing up in the news, eerily 
shadowing the many more that never made it 
to press. The credit card associations saw this 
fraud coming and have been working since 
1999 to move the industry onto a more secure 
path, but it is not as easy as many assume. 

The payment card industry is a unique beast 
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when compared with others because it does 
not fit into a single procrustean box. While 
other industries fall into "verticals" such as fi- 
nancial services, manufacturing, or education, 
the payment card industry is described as a 
"horizontal" because it cuts across most other 
vertical industries. The majority of companies 
accept credit cards as payment for services 
and thus falls under the umbrella of the pay- 
ment card space. Due to its large size making 
any change in this market is a slow process 
that takes time and patience. 

The card associations finally combined forces 
in December of 2004 by creating a common 
compliance standard to which they all agreed. 
This reduced the overlap and redundancies as 
well as compliance costs for companies. The 
industry emerged in 2005 with a new standard 
for compliance, but crime continued to in- 
crease more than ever as criminals found new 
and creative attack vectors to target the indus- 
try. The card associations, overwhelmed with 
fighting fires on multiple fronts, tried to push 
companies to increase the security of their 
data systems to prevent future fraud. In June 
of 2005 a large and mostly unknown credit 
card data processor CardSystems Solutions 
Inc. (CSSI) was compromised and liable for 
the potential loss of 40 million credit card 
numbers. This was the largest data security 
breach to date and made worse by the fact 
that CSSI was listed on the Visa web site as a 
compliant service provider. This one event 
rocked the industry because of the media 
coverage it obtained. It seemed as if the pub- 
lic was suddenly concerned with their per- 
sonal privacy and they began fighting back 
against the senseless loss of personal infor- 
mation. 

In October 2005, John Coghlan, the new 
President and CEO for Visa U.S.A., an- 
nounced his focus in helping secure the pay- 
ment card industry. Although forgoing the use 
of credit cards is almost unimaginable for 
many people, the risk of brand reputation loss 
and the slowing of an ever expanding market 
could cause millions of dollars of loss for Visa 
as well as other card associations. Industry 
experts began to look at all the moving parts 
and realize the magnitude of what it meant to 
secure credit card data. For years, companies 
were storing credit card data along with all the 
other data they collected because data stor- 



age was cheap. Now they were being told not 
only should they not store it but if they do 
there is a whole list of controls they must have 
in place. In many instances these controls re- 
lied on software that was sold to them by third 
parties - entities that were outside their con- 
trol. 

As companies moved slowly towards compli- 
ance another problem arose. The standard 
was so new that everyone interpreted it a little 
differently. One would think that between se- 
curity professionals they would all interpret a 
certain requirement a little different but more 
or less the same. This assumption proved 
very wrong as information security consulting 
companies were submitting proposals for work 
that varied from $10,000 to $400,000 for the 
same project. It was clear that these require- 
ments needed some clarification so compa- 
nies and professionals would have a common 
understanding about their intent and thus their 
implementation. 

To address this communication problem, Visa 
U.S.A. (and the other regions internationally) 
launched a training program for qualified pro- 
fessionals to provide them a common under- 
standing of the industry, compliance require- 
ments, and their intent. This paper does for 
the individual what Visa has already done for 
the qualified security companies - it explains 
the intent, clarifies the ambiguity, and provides 
examples for how the payment card industry 
compliance requirements affect your busi- 
ness. After reading this paper you should be 
better able to understand their recommenda- 
tions and qualify them to save your company 
or department time and money. 

Creating and rolling out any new standard for 
any industry is not an easy task. The British 
standard for information security management 
(BS 7799) began as a code of practice in 
1 992 but was not formalized into a standard 
until 1995. Even then it was not until Decem- 
ber of 2000 that it became an international 
standard as ISO 17799. In 2002, the second 
part of the standard was published as BS 
7799-2. Then in October of 2005 a final draft 
of ISO 27001 was published that described 
how to apply the controls of ISO 17799 and 
how to build and maintain an information se- 
curity management system (ISMS ). It has 
taken 13 years for the standard to mature 



www.insecuremag.com 



8 



from a code of practice into a fully working 
certification program. This shows that stan- 
dards are not created perfect but evolve and 
change over time. 

The payment card industry is one of the first to 
proactively implement an industry specific 
compliance program. The real estate market 
implemented a similar industry driven regula- 
tion called the REALTOR Secure program but 
it is nowhere near the size or has as much 
impact as the one being implemented by the 
payment card industry. The reason for self 
regulating is to prevent government interven- 
tion and increase consumer confidence. The 
story goes like this: if the fraud increases too 
much and the media hypes it, then people will 
get concerned - if citizens are worried they 
put pressure on their local and state represen- 
tatives in government who then pass legisla- 



tion to control the fraud problem. Legislation is 
one way of stemming the fraud, but it also 
binds all of the players in the payment card 
industry to play by the rules set forth by the 
federal government. Some may not see a 
problem with this, but those familiar with the 
government run Gramm-Leach-Bliley (GLB) 
Act of 1 999 will know that it is better to have 
Visa as your regulator than the Federal Re- 
serve, FTC, Controller of the Currency and 
Office of Thrift Supervision. The major differ- 
ence between industry run regulations and 
those controlled by the government is that of 
flexibility. The card associations are better 
able to update and improve their compliance 
requirements on a continual basis as opposed 
to those that govern financial institutions such 
as Credit Unions with compliance require- 
ments that are only updated on a three year 
cycle. 



...if the fraud increases too much and the media hypes it, then people will get concerned. 



This combination of self-regulation and actual 
teeth to the program (in terms of large fines) 
are what is driving the industry in the right di- 
rection towards protecting a person's credit 
card data. 

The credit card associations include Visa, 
MasterCard, American Express, Discover, and 
JCB. These participants came together to 
agree upon a set of common security re- 
quirements that would govern entities that 
store, process, or transmit cardholder data. 
The card associations also agreed on the 
definition of cardholder data as the account 
number (also known as the Primary Account 
Number or PAN), the expiration date, track 
data, personal identification number (PIN) 
block data, and the card verification value 
(CVV2). The proper protection of these data 
elements is mandated by the PCI DSS re- 
quirements and must be verified differently 
depending on the level definition assigned to 
the organization. 

The PCI DSS focuses on 12 different areas of 
security including: network segmentation, de- 
fault settings, data encryption, secure network 
communications, anti-virus software, software 
development life cycle (SDLC), access restric- 
tions, user authentication, physical security, 
event logging, testing and auditing systems, 
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and policies and procedures. Each of these 
areas is optically similar to other information 
security best practices, but there is a differ- 
ence in that they focus specifically on card- 
holder data and the environment that sur- 
rounds, connects, and protects that data. 

A common confusion is the difference be- 
tween PCI, Cardholder Information Security 
Program (CISP), Account Information Security 
(AIS), and Site Data Protection (SDP). For 
many who are not familiar with the subtly of 
the PCI program these acronyms seem inter- 
changeable, but there are important distinc- 
tions between them. When the different card 
associations (Visa, MasterCard, Discover, 
American Express, and JCB) decided to align 
their security programs they had to make 
compromises to account for their differences 
in structure and location. MasterCard is an 
association that is internationally chartered 
meaning that there is only one region that is 
global in nature. They required their SDP pro- 
gram be implemented universally around the 
world. Conversely, Visa is made up of six dif- 
ferent regions and each has a slightly different 
way of combating fraud. Visa U.S.A. has the 
CISP which implements the PCI standard. AIS 
is the name given to implementation of PCI 
with the other international Visa regions. 



The PCI alignment is the agreement by the 
different card associations to adopt the follow- 
ing documents as the data security require- 
ments, compliance criteria, and validation pro- 
cedures. 

• PCI Data Security Standard 

• PCI Security Audit Procedures 

• PCI Self-Assessment Questionnaire 

• PCI Network Security Scan Requirements 

• PCI Payment Application Best Practices 
(Proposed) 

The PCI DSS applies to any entity that stores, 
processes, or transmits credit card data and 
all system components connected to the 
cardholder data environment. All entities must 
be compliant, but how they validate their com- 
pliance is based on several factors including 
their transaction volume and what services 
they provide. These may seem like simple 



definitions but they grow in complexity with the 
entity being examined. 

Many people get confused about the differ- 
ence between merchants, service providers, 
gateways, and data storage entities. The card 
associations generally break down non- 
issuing/acquiring/processing entities into: 
Merchant or Service Provider. 

A Merchant is defined as a location or store 
where purchases are made. The merchant is 
responsible for the security of the credit card 
information regardless of who they pass off 
the information to, such as a service provider. 

A Service Provider is defined as an entity that 
handles credit card information on behalf of a 
merchant, acquirer, issuer, processor, or other 
service provider. 



Many people think of Amazon/ the online book seller, as a 
simple merchant but they are much more complex than that. 



Level 1 Service Provider examples 

• Gateways 

• VisaNet Processors (member and non- 
member) 

• Data Storage Entity (DSE) - (more than 6 
million MasterCard or Visa transactions re- 
gardless of acceptance channel) 

Level 2 and 3 Service Provider examples 

• Data Storage Entity (DSE) - (more than 
150,000 and less than 6,000,000 electronic 
commerce transactions) 

• Third-Party Servicer (TPS) 

• Independent Sales Organizations (ISO) 

• Merchant vendor 

• Web hosting company or shopping cart 

• Media back-up company 

• Loyalty program vendor 

• Risk management vendor 

• Chargeback vendor 

• Credit bureau 



Many people think of Amazon, the online book 
seller, as a simple merchant but they are 
much more complex than that. Amazon is 
strangely enough both a merchant and a serv- 
ice provider. They are a merchant because 
they accept credit cards for the books they sell 
and a service provider for the transactions 
they aggregate on behalf of other merchants. 
Amazon offers other merchants, most notably 
Target, a storefront for their merchandise. The 
transactions are processed by Amazon on be- 
half of many different merchants making them 
a service provider. 

A common misconception with PCI is that if a 
company does not need to validate their com- 
pliance then they do not need to be compliant. 
This is incorrect because all companies must 
comply with the PCI DSS, but how these 
companies validate their compliance will differ 
depending on the type of organization, their 
transaction volume, and acceptance channels 
(i.e. e-commerce vs. brick-and-mortar). 
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Merchants are divided into four levels depend- 
ing on their transaction level as shown in the 
table below. A recent change in the level defi- 
nitions increased the number of Level 2 mer- 
chants by making that level agnostic about 
acceptance channel and thus capturing many 



large brick-and-mortar retailers that flew under 
the radar previously by not having e- 
commerce systems. The deadline for compli- 
ance of all merchants, other than those newly 
classified as Level 2, has already passed. 



Merchant Level 


Description 


Level 1 


• Any merchant-regardless of acceptance channel-processing over 
6,000,000 Visa transactions per year. 

• Any merchant that has suffered a hack or an attack that resulted in an 
account data compromise. 

• Any merchant that Visa, at its sole discretion, determines should meet 
the Level 1 merchant requirements to minimize risk to the Visa system. 

• Anv mprrhant idpntifipd hv anv othpr navmpnt rard hrand I pvpI 1 
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Level 2 


Any merchant-regardless of acceptance channel-processing 1 ,000,000 
to 6,000,000 Visa transactions per year. 


Level 3 


Any merchant processing 20,000 to 1 ,000,000 Visa e-commerce 
transactions per year. 


Level 4 


Any merchant processing fewer than 20,000 Visa e-commerce transac- 
tions per year, and all other merchants-regardless of acceptance 
channel-processing up to 1 ,000,000 Visa transactions per year. 



Level 1 merchants validate their compliance 
by having an annual on-site data security as- 
sessment by a qualified security assessor and 
performing a quarterly network scan by a 
qualified scan vendor. These requirements are 
meant to enforce compliance among the riski- 
est merchants. Level 2 and 3 merchants must 
only complete an annual self-assessment 
questionnaire and a quarterly network scan by 
a qualified scan vendor. The ability to self- 
assess is given to those merchants that pose 
a lower security risk. Level 4 merchants must 



perform the same measures as Level 2 and 3 
merchants but their validation dates and en- 
forcement is regulated by their acquirer. 

Service providers are divided into three levels 
depending on their transaction level. Visa and 
MasterCard differ on their definitions of a serv- 
ice provider meaning the service provider 
must assess at the greater of the two level 
definitions they would fall into. The table be- 
low outlines the Visa and MasterCard service 
provider levels. 



Visa Service Provider 


Description 


Level 1 


All VisaNet processors (member and Nonmember) and all payment 
gateways. 


Level 2 


Any service provider that is not in Level 1 and stores, processes, or 
transmits more than 1 ,000,000 Visa accounts/transactions annually. 


Level 3 


Any service provider that is not in Level 1 and stores, processes, or 
transmits fewer than 1 ,000,000 Visa accounts/transactions annually. 
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MasterCard Service 
Provider 


Description 


Level 1 


• All third-party processors. 

• All data storage entities (DSE) that store account data on behalf of 
Level 1 or Level 2 merchants. 


Level 2 


All DSEs that store account data on behalf of level 3 merchants. 


Level 3 


All other DSEs not included in Levels 1 and 2. 



Level 1 and 2 service providers validate their 
compliance by having an annual on-site data 
security assessment by a qualified security 
assessor and performing a quarterly network 
scan by a qualified scan vendor. Level 3 serv- 
ice providers must only complete an annual 
self-assessment questionnaire and a quarterly 
network scan by a qualified scan vendor. All 
service providers must also submit a letter 
stating the confirmation of their report's accu- 
racy. This provides clearly worded language 
from the service providers attesting to the fact 
that the report being submitted to the card as- 
sociations is correct and valid. 

Credit card compromise cases continue to 
plague the industry as attackers evolve from 
one method of attack to another. The current 
trends show credit card compromises are 
changing from Internet facing organizations 
down to the application level. 

E-commerce merchants were first on the 
scene for bringing credit card transactions to 
the Internet. The credit card lends itself easily 
to purchasing products and services online 
through its flexibility and almost universal ac- 
ceptance. Credit cards can either be used in a 
'swipe' transaction where the credit card is 
presented to the merchant and the magnetic 
track is read or in a 'card not present' transac- 
tion where only the credit card number and 
expiration date are available. Card not present 
transactions are a higher risk due to the fact 
that the information could be forged. In addi- 
tion to the risk of card not present transactions 
there is the inherent risk that e-commerce sys- 
tems are susceptible to attack by any user 
connected to the Internet. 

Service providers pose a unique risk in that 
they typically handle credit card data from 
multiple entities, either merchants, acquirers, 



or processors. A gateway aggregates transac- 
tions from multiple merchants thus increasing 
the volume and risk posed by these organiza- 
tions. Service providers typically aggregate e- 
commerce transactions but can just as easily 
aggregate transactions from brick-and-mortar 
merchants. 

Retail merchants pose a specific risk as more 
and more stores are being connected together 
via the Internet or use wireless networks for 
POS or inventory purposes. The first risk 
arises as retail stores are being connected di- 
rectly to the Internet. As companies grow and 
open new stores they are constantly looking 
for an inexpensive method of remotely man- 
aging them. These companies need a way of 
remotely managing and accessing each store 
for administrative purposes. As a result many 
companies install a broadband or dial-up con- 
nection to the Internet at each store location. 
This connection is used to remotely access 
the store either through a virtual private net- 
work (VPN) or other remote control software 
such as pcAnywhere. The risk associated with 
a retail location being directly connected to the 
Internet through the use of remote manage- 
ment software is relatively high with the weak- 
est link in the security chain being the authen- 
tication mechanism. 

The second risk outlined for retail merchants 
is that of wireless networks being used at a 
store location and not properly secured. A re- 
cent report identified "the wireless LAN 
(WLAN) market will grow at an annual rate of 
30 percent per year ... [it] also found that 
WLAN sales have increased 60 percent com- 
pared to last year." This growth in wireless 
networking has not been ignored by retail 
merchants as they begin to implement such 
networks for operating their POS or inventory 
systems. The risk of wireless networks is that 
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few companies implement proper security or 
network segmentation to make these net- 
works safe for financial transactions. 

In the past two years many retail stores have 
been compromised including DSW Shoe 
Warehouse, Polo Ralph Lauren, and BJ's 
Wholesale Club Inc. This trend has increased 
as attackers learn that compromising these 
systems is sometimes easier and more lucra- 
tive than other locations. 

If an attacker wishes to compromise a pay- 
ment gateway they are usually faced with cir- 
cumventing a corporate firewall or looking for 
a vulnerability in one of their Internet applica- 
tions. Retail merchants on the other hand offer 
much less resistance with some connected to 
the Internet with no firewall at all. 

For many companies compliance is driven by 
a stick rather than a carrot. Publicly traded 
companies comply with Sarbanes-Oxley 
(SOX) because if they don't the Securities and 
Exchange Commission (SEC) could shut them 
down. Financial institutions comply with 
Gramm-Leach-Bliley (GLB) so the Federal 



Reserve or their Financial Deposit Insurance 
Corporation (FDIC) auditors do not force them 
to close. The reason companies adhere to the 
PCI DSS standard is because non-compliance 
could result in fines (egregious violations up to 
$500,000), forensic investigation costs, issuer 
and acquirer losses (unlimited liability for 
fraudulent transactions and any card replace- 
ment costs), as well as any dispute resolution 
costs. 

Although Visa cannot directly fine merchants 
and service providers they can assign fees to 
the acquirer who can contractually pass them 
on to the appropriate merchant or service pro- 
vider. If an acquirer does not have a direct re- 
lationship with a service provider it is impor- 
tant that the merchant who does have that re- 
lationship have legal contracts in place to ver- 
ify they can pass the fees along to the service 
provider. 

Without such contractual assignment of fees 
the merchant would be stuck with any fees 
assigned to them resulting from a compromise 
of their credit card data even if their service 
provider was at fault. 



For many companies compliance is driven by a stick rather than a carrot. Publicly traded 
companies comply with Sarbanes-Oxley (SOX) because if they don't the Securities and Ex- 
change Commission (SEC) could shut them down. 



In addition to the negative impact there are 
several positive reasons to comply with the 
PCI DSS. Merchants that wish to comply with 
PCI DSS must validate that their service pro- 
viders are also compliant. 

As a result service providers are offering their 
compliance as a competitive advantage. Al- 
though the list of compliant merchants is not 
publicly accessible, Visa posts a list of all 
compliant service providers on their website. 

Additionally, companies that want to distin- 
guish themselves from their competition or 
show their customers that their personal data 
is secure will comply and issue a press re- 
lease as well as publicizing it in their market- 
ing material. This is especially true with appli- 
cation vendors that have proactively brought 



their software into compliance with the Pay- 
ment Application Best Practices (PABP). 

The PABP is a set of best practices that has 
not yet become part of the PCI compliance 
requirements, but many companies have 
complied with them in order to obtain a com- 
petitive advantage or so their customers can 
meet their compliance requirements. 

Ultimately, the often overlooked benefit to a 
company that meets compliance with the PCI 
DSS is that they are more secure. Having re- 
viewed many companies large and small, 
there is not one that met all of the compliance 
requirements when first audited. Each com- 
pany has something to implement: be it poli- 
cies or a firewall that will make their company 
and their customer's data more secure. 
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Keeping customer data secure may seem like 
an altruistic goal but transitively it keeps the 
company in business. There have been many 
examples where a company lost their cus- 
tomer data that in turn caused long term brand 
and reputation damage to the company. 

An important thing for upper management to 
understand is the difference between compli- 
ance and security. When a company is con- 
sidering a compliance standard they look to 
the expert in that one area and have them as- 
sist with the one compliance issue instead of 
examining all compliance requirements sur- 
rounding data security. For example a bank 
may have several compliance requirements 
such as GLB, PCI DSS and state notification 
laws (i.e. SB1386). Companies that have mul- 
tiple requirements should assign the respon- 
sibility for data security compliance to an in- 
ternal person. If external assistance is re- 
quired then a firm that can help meet compli- 
ance with multiple requirements is better than 
having separate firms assist with addressing 
individual requirements. This reduces redun- 
dancies and cost associated with the compli- 
ance process. 

Once companies assign an employee the re- 
sponsibility of compliance that employee 
should educate upper management about the 
difference between compliance and security. 
Although many companies find the compli- 
ance requirements arduous and time consum- 
ing to comply with, they only represent the 
minimum best practice guidelines for data se- 
curity. While compliance meets a minimum 
standard, some companies may wish to go 
above and beyond these requirements to en- 
sure the security of their systems in other 
ways. 

This method of thinking represents a differen- 
tiation between security and compliance. Al- 
though many people think that by meeting 
their industry compliance requirements they 



will be secure from all hackers and compro- 
mises this is not necessarily the case. One 
simple example is that of internal employee 
theft. Contrary to common belief, most secu- 
rity compromises occur as a result of some 
form of insider fraud. This means that even 
though a company complies with all stated re- 
quirements there is still the risk that an insider 
with proper access, or in collusion with a sec- 
ond employee, could gain access to sensitive 
data and remove it illegally from the company. 

Another example of where compliance does 
not equal security is that of operational man- 
agement over information security systems. 
To meet compliance requirements a company 
must have certain controls in place as well as 
operational management of these controls. A 
company may be compliant one day and not 
the next because the operational controls 
were not followed throughout the year. This is 
a reminder that compliance is measured as a 
point in time but security is continuous 24 
hours a day, 7 days a week, and 52 weeks a 
year. 

The requirements look simple at first but there 
are many nuances to them that require a care- 
ful understanding of the credit card industry 
and all players involved. It is important that 
companies understand their risk exposure and 
what they need to validate compliance. Only 
by understanding the framework can a com- 
pany then begin to dissect the details and in- 
tent behind each requirement. 

But before deciding whether or not to comply 
it is important to understand the risks and im- 
plications of either decision. Compliance does 
not equal security so creating a compliance 
work plan should also involve mapping the 
security needs of your company to the desires 
of the compliance requirements. Only then will 
compliance become an integral and beneficial 
part of your business. 



Michael Dahn is the President of Volubis, Inc. responsible for the management of consultants and project en- 
gagements. Mr. Dahn has a technical background in the management, design, systems integration and im- 
plementation of information security technologies for financial institutions, commercial and international clients. 

Mr. Dahn serves on the Board of Directors for the InfraGard National Members Alliance and is a Certified In- 
formation Systems Security Professional (CISSP). His professional memberships include the (ISC)2, High 
Technology Crime Investigation Association (HTCIA), Information Systems Security Association (ISSA), and 
InfraGard. 
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Mod Security™ is an embeddable web application firewall. It provides protection from a range 
of attacks against web applications and allows for HTTP traffic monitoring and realtime analysis 
with no changes to existing infrastructure. 



Why ModSocurity? 

ModSecurity puts yoj back in control. Here are the top six reasons to use it: 

1 . Embeddable; Works with your existing architecture, Quick to install and 
does not cause disruption. Quick to remove, too, if you decide you don't 
like it, 

2. Network- based; To protect many web servers at once, or applications 
running on web servers other than Apache, install ModSecurity as part of 
an Apache-based reverse proxy. 

3. Monitoring; Unlike many other network-based tools, ModSecurity is 
capable of observing SSL-encrypted web traffic, 

4. Just- in -time patching: Reduces the window of opportunity by making it 
possible to patch a vulnerable application from the outside, with no 
access to the source code. 

5. Forensic logging; You will be able to see the attack payloads 
transported in the HTTP request bodies, Choose what you want to log: 
just attacks, everything or (through the flexible rule language) exactly 
what you want logged. 

b\ Detection and protection; Works as an intrusion detection tool but can 
easily be configured to add a protection layer to your applications, 
defending from classes of attack at once. 



ModSecurity 
^p* Console 



Real-Lime log and alert 
centralisation solution 
far ModSecurity 



All-in-one solution, comes 
with embedded web server 
and database. 

Reliable log centralisation, 
storage, and maintenance. 

Clean web -based graphical 
user interface. 

Email and PDF reporting. 

Portable and easy to install. 
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Early Adopter Discount Mow $350 



ModSecurity for Apache is a free open source product. OEM licences and 
commercial support contracts are available from Thinking Stone. 



www.thinkirgstono.ccTi 
www.modsecurity. o rg 
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VoIP has hit the headlines in recent months and while some stories have fo- 
cussed on the ways in which the technology is proliferating throughout the 
commercial world, other perhaps more alarming articles have touched on the 
security risks. Whilst these reports haven't quite hit levels of mass hysteria, 
and coverage has, by and large, been fueled by vendor hype, the discussion 
surrounding VoIP security has merit. 



Although the underlying technologies of VoIP 
have been around almost as long as IP and 
implementations have existed for many years, 
it is only now that usage is extending from 
intra-office systems to worldwide usage both 
commercially and privately. To this extent, 
VoIP is an immature technology. 

Until commerce relies on a system, it is un- 
likely to be adequately tested. Before the 
World Wide Web was a commercial prospect, 
it was held together by software which would 
now be viewed as somewhere between quaint 
and crazy. VoIP has matured, but is yet to 
really be tested. In addition, a number of com- 
panies have begun offering gateway services 
from Plain Old Telephone Systems (POTS) to 
VoIP and vice-versa, greatly enhancing its 
functionality and assisting quick take-up. 



VoIP is an immature technology emerging into 
an increasingly hostile world, but there's little 
we can do about this. In a world where agility 
and time-to-market routinely come before cost 
and security, the roll-out of new technologies 
is as inevitable as the change of season. IT 
security professionals would urge caution in a 
situation such as this - watch the early adopt- 
ers and you might just avoid getting burned. 
Why this article? Surely this situation is suffi- 
ciently commonplace as to render it uninter- 
esting? Perhaps it is, until you consider 
Skype. 

Skype re-writes VoIP rules 

Skype is VoIP on steroids. Even before eBay's 
muscle backed the telecoms company, Skype 
swept all before it becoming the de facto 
standard in a short space of time. The rea- 
sons for this are more than mere good timing. 
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The Skype client is 'free', at least to the extent 
it costs no money. This, plus cross platform 
compatibility, good voice quality and a range 
of peripheral services such as Skype Out 
have helped the software client to over 247 
million downloads (source: Skype.com). Other 
than its ubiquity, there are other interesting, 
and in some cases slightly disturbing, features 
of Skype. 

One of the reasons Skype is so easy to use is 
that it works on almost any network, even be- 
hind a NAT or firewall with no special configu- 
ration. Such NAT traversing peer-to-peer ac- 
tivity is almost impossible to detect or block, 
especially when you factor in the encryption of 
Skype data. Any network administrators read- 
ing should be worried at this point. Without 
resorting to client-side restrictions, Skype is 
very difficult to stop; layer 7 blocking may be 
effective, but this is rarely black and white. 
Skype transfers information, including file 
transfer and instant messages, both in and out 
of the corporate network, unchecked, unre- 
stricted and encrypted. Security professionals 
should be pulling their hair out because of 
this, and there should be P45s in waiting for 
any IT administrator who hasn't recognised 
this issue. 

Secrecy poses questions 

Other concerns with this technology stem from 
the closed nature of Skype's protocol. Its 
website gives little away and few know in de- 
tail the internal workings of Skype. It just 
works, apparently. This poses a number of 
problems. 

Firstly, because Skype may route your calls 
through untrusted hosts, your data must be 
encrypted. Even if this were not the case, it is 
likely that you'd wish to secure your data. The 
encryption scheme used is, to all intents and 
purposes, untested. Bruce Schneier, one of 
the most respected security authorities, sug- 
gests that the best thing you can say about an 
encryption scheme is: "We can't break it". This 
is even better if other clever people can't 
break it either. However, the encryption used 
in Skype is afforded little of the rigorous aca- 
demic and commercial review of say AES or 
other freely examinable algorithms. Similarly, 
the underlying peer-to-peer systems are un- 
known. How peers through which your data 



are routed are chosen remains unknown. It is 
not impossible that a wily attacker might ex- 
ploit bugs or nuances in routing to their own 
ends. Study of Skype's protocol for any pur- 
pose is expressly forbidden in the license, 
which does not inspire confidence. 

Secondly, closing the protocol necessitates 
closing the client. This may not appear to be a 
significant issue, but in this instance it means 
that the only Skype clients are Skype clients 
(if you follow my capitalization). This repre- 
sents a problem akin to that experienced by 
Microsoft Outlook users some years ago - the 
evolutionary 'dead-end' that is a homogene- 
ous environment. With one dominant client, 
the first email worms spread rapidly and 
caused significant damage. Similarly, Internet 
Explorer's dominance gave it a high profile to 
would-be attackers. Once a security flaw is 
found in Skype (and anyone who believes any 
software other than "Hello World" is immune 
from security flaws has been watching car- 
toons), it is exploitable worldwide. In terms of 
worms and viruses, this is write once, execute 
anywhere. Admittedly, email worms have 
calmed somewhat, and are now more reliant 
on wetware flaws (human error) than bugs in 
a particular software client, but email is a 
much more mature technology. Worms, tro- 
jans and viruses, however have also matured. 
Expect increasingly sophisticated tricks as 
PCs are 'owned' by hackers. 

This 'one client' approach not only forcibly 
widens a user's circle of trust (those entities in 
which a user is willing to entrust their secu- 
rity), but it adds a well known trouble-causer 
to the list. eBay, Skype's 2.5 billion dollar new 
owners, have a less than exemplary record 
with regard to their handling of user data. Ex- 
isting articles have already flagged this salient 
point, but if you wish to talk with other 
'skypers', you're going to have to agree to 
eBay's terms. How its policies will stack up 
outside the US remains to be seen. Many 
businesses would rather pay for a client and 
gain the support of a commercial product. By 
agreeing to the license, you also "grant per- 
mission for the Skype Software to utilize the 
processor and bandwidth of Your computer for 
the limited purpose of facilitating the commu- 
nication between Skype Software users" - a 
"limited purpose" with quite a broad remit! 



www.insecuremag.com 



17 



Defend the network 

With potential security problems like these, it 
would be wise to run Skype with caution, if at 
all. A NAT firewall would mitigate direct attacks 
against your client or server, for example. Un- 
fortunately, some Skype nodes are more vul- 
nerable than others, offering more by way of 
connectivity to untrusted parties. These are 
the 'Supernodes', used for routing calls and 
allowing two NAT restricted 'skypers' to con- 
verse. Any attacker would see a 'Supernode' 
as an obvious target - after all this is access 
to a network service, and traditional network 
services like HTTP, FTP and DNS have al- 
ways seen huge potential for worms such as 
code red. HTTP servers are easy to find, but 
what of Skype 'Supernodes'? Well, you have 
but to ask. The Skype server will, with a little 
coaxing, happily provide a list of IPs currently 
known to be running as 'Supernodes'. This is 
to allow the NAT-ed Skype client who's built-in 



'Supernode' list is outdated to easily find a 
'Supernode' via which to route calls. This list 
of easy targets is unavoidable, and clearly 
poses considerable risk. 

As Skype gains popularity it will come under 
greater scrutiny by both the security industry 
and those with less benign intentions. Threats 
could range from lawsuits, through misuse 
akin to the productivity losses incurred by spu- 
rious web browsing prior to the introduction of 
effective content filters and logging, right 
through to serious security breakdowns. What 
can we do about this? Locking down client 
PCs, limited roll-out where necessary and in- 
telligent security polices are among the best 
defences when implemented with the right pe- 
rimeter firewall and proxy suite. This technol- 
ogy is inevitable, and it looks like Skype may 
'VHS' the world with a possibly inferior, but 
ubiquitous, cheap and effective product. Don't 
say you weren't warned. 



Tom Newton is the product development manager at SmoothWall (www.smoothwall.net), an Internet security 
provider now protecting over a million networks worldwide. 
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Inside Network Security Assessment: Guarding Your IT Infrastructure 

by Michael Gregg, David Kim 

Sams, ISBN: 0672328097 




Inside Network Security Assessment: Guarding Your IT Infrastructure is a 
collection of utilities and templates that will take you through the assessment 
process. Written by two highly qualified authors with close ties to the 
International Information Systems Security Certification Consortium, this book 
was developed with the goal of being a text for the CISSP continuing 
education class on Network Security Assessment. You will be provided with 
step-by-step training on assessing security, from paperwork to penetration 
testing to ethical hacking. 



IPsec Virtual Private Network Fundamentals 

by James Henry Carmouche 

Cisco Press, ISBN: 1587052075 



IPsec Virtual Private Network Fundamentals provides a basic working 
knowledge of IPsec on various Cisco routing and switching platforms. It 
provides the foundation necessary to understand the different components of 
Cisco IPsec implementation and how it can be successfully implemented in a 
variety of network topologies and markets (service provider, enterprise, 
financial, government). This book views IPsec as an emerging requirement 
in most major vertical markets, explaining the need for increased information 
authentication, confidentiality, and non-repudiation for secure transmission of 
confidential data. 
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How Personal & Internet Security Works 

by Preston Gralla 

Que, ISBN: 0789735539 

How Personal and Internet Security Works illustrates in vivid detail the many 
dangers faced by those who use the Internet to send or receive email, surf 
the Web, conduct personal business, use a credit card, or even travel to 
airports and how those dangers can be solved. 

You'll also get detailed explanations of Internet privacy issues such as 
spyware, phishing, identity theft, data mining, biometrics, and security 
cameras, as well as Homeland Security issues such as airport scanning and 
terrorist screening. 

Practical Guide to UNIX for Mac OS X Users 

by Peter Seebach, Mark G. Sobell 

Prentice Hall, ISBN: 0131863339 



This book explains UNIX for the Mac OS X user-giving you total control over 
your system, so you can get more done, faster. Building on Mark Sobell's highly 
praised A Practical Guide to the UNIX System, it delivers comprehensive 
guidance on the UNIX command line tools every user, administrator, and 
developer needs to master-together with the world's best day-to-day UNIX 
reference. This book is packed with hundreds of high-quality examples. From 
networking and system utilities to shells and programming, this is UNIX from the 
ground up-both the "whys" and the "hows"-for every Mac user. 

CISA Exam Cram: Certified Information Systems Auditor 

by Allen Keele, Keith Mortier 

Que, ISBN: 0789732726 

Want an affordable yet innovative approach to studying for the Certified 
Information Systems Auditor (CISA) 2005 exam? CISA 2005 Exam Cram 2 is 
your solution. You will have the essential material for passing the CISA 2005 
exam right at your fingertips. All exam objectives are covered and you'll find 
practice exams, exam alerts, notes, tips and cautions to help guide you through 
your exam preparation. A CD also provides you with a video introduction to the 
exam and complete explanations of answers to the practice questions from 
Certified Tech Trainers (CTT). 

Certified Ethical Hacker Exam Prep 

by Michael Gregg 

Que, ISBN: 0789735318 

Certified Ethical Hacker Exam Prep is the perfect solution for the CEH exam, 
giving you the solid, in-depth coverage you'll need to score higher on the exam. 
Along with the most current CEH content, the book also contains the elements 
that make Exam Preps such strong study aides: comprehensive coverage of 
exam topics, end-of-chapter review, practice questions, Exam Alerts, Fast 
Facts, plus an entire practice exam to test your understanding of the material. 
The book also features MeasureUp's innovative testing software, to help you 
drill and practice your way to higher scores. 
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ompuler forensics vs. electronic evidence 

it D avid Benton and Frank Grmdstaff 




Electronic Evidence is changing the scope and face of many regulatory and 
judicial investigations. People may wonder why they need computer forensics 
in an investigation if they are already using an electronic evidence specialist. 
Why should they pay twice for what they perceive as being the same service? 



In an investigation if there is a large amount of 
items like documents and emails from a large 
number of computers, an electronic evidence 
firm can effectively and efficiently gather the 
files and organize them. If the documents are 
not in electronic format they can be scanned 
and included in the process. Once these 
items are in electronic format they can be fil- 
tered, searched, and reviewed with relative 
ease. In a small investigation where there is 
only one or two personal computers involved, 
you use a computer forensics specialist for 
this. While there is some truth to this there is 
also a lot wrong with it. 

In a large investigation it is common to use a 
firm specializing in electronic evidence to 
handle the electronic discovery needs in the 
investigation. The electronic discovery could 
cover ten's to thousand's of hard drives de- 
pending on the scope of the investigation. If 
this is the only type of electronic discovery 



being utilized, your investigation could be 
missing a lot. While it may be impractical and 
cost prohibited to forensically review all of the 
hard drives at a company, it may also be seen 
as negligence to not forensically review a few 
selective hard drives in an investigation/ 
discovery process. 

When do you need a computer forensics spe- 
cialist and when do you need Electronic Dis- 
covery services? 

First it is perhaps helpful to define computer 
forensics and EDiscovery. Computer Foren- 
sics is the application of the scientific method 
to digital evidence during an investigation in 
order to establish fact, which may be used in 
judicial proceeding. EDiscovery is the provid- 
ing of electronic document(s) pursuant to a 
request or order from a regulatory or judicial 
authority. 
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A forensic review of selective computers can 
help an e-discovery team work more effi- 
ciently by helping them narrow their scope in 
its time frame, number of locations, number of 
computers (email servers, network servers) 
and number of people. Another item to con- 



Computer Forensics 

Investigate and Detail Analysis 

Typically targets selected hard drives 

Searches everything on the hard drive, "de- 
leted" and active items 

Determine who, what, and when 

Creation of a timeline of events 

Reporting and expert testimony 

Breaking of passwords/encryption 

May include backup tapes, email servers, 
other servers 

Includes meta-data 

Normally reviewed by one person at a time, 
in one location 

Searches can take hours or days 



You may notice that searches in computer fo- 
rensics can take days, compared to minutes 
for electronic discovery. This seems odd until 
you look at the way searches are done using 
computer forensic software. 

Consider that a typical personal computer has 
an 80 GB hard drive can have 18,181,820 
pages of data on it. Electronic discovery may 
only look at a small fraction of this data, and 
the search is a text search (byte by byte). In 
computer forensics every bit of the hard drive 
is searched bit by bit, (note: eight bits equals 
one byte). In general, the bit by bit search al- 
gorithm is much slower than the text search. 
This speed difference and the searching by 
bits instead of bytes requires much more time. 



sider is do you want to review deleted items? 
If so, a forensic review is a must for that com- 
puter. Below is a table comparing electronic 
discovery and computer forensics on some of 
the key points. 



Electronic Discovery 



At one time computer forensics was very ex- 
pensive and was viewed as unaffordable for 
the average case. This meant that if any elec- 
tronic evidence was reviewed it was done 
through electronic discovery, not computer 
forensics. Now, with innovations in computer 
forensic software a forensic examination of a 
hard drive is reasonably affordable. This has 
caused more and more cases to include elec- 
tronic evidence that just a few years ago 
would have ignored it. This has caused some 
interesting developments as there was very 
little case law to guide attorneys and judges in 
these matters. The past few years have seen 
more and more rulings on items found using 
computer forensics and more conferences 
and work groups formed to publish guidelines 
on electronic discovery and computer 



Gathering, searching, filtering, and producing large 
amounts of information for review 

Can cover thousands of hard drives 

Active and archived data, normally does not include 
deleted, discarded, hidden, or encrypted data 

Data is accessed, but not analyzed 

Can include backup tapes, email servers, other 
servers 

May or may not include meta-data 

Can be reviewed by numerous people in several 
locations 

Searches can take minutes or hours 
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forensics. One such organization is The Se- 
dona Conference (thesedonaconference.org), 
which is a non-profit, non-partisan law and 
policy think-tank. 

One of the Work Groups, WG1 : Electronic 
Document Retention and Production, purpose 
is to develop principles and best practice 
guidelines concerning electronic evidence re- 
tention and production. These guidelines were 
developed as a joint collaboration between 
attorneys in the public and private sector, 
judges, and other experts. Here are the 14 
proposed guidelines: 

1. Electronic data and documents are poten- 
tially discoverable under Fed. R. Civ. R 34 or 
its state law equivalents. Organizations must 
properly preserve electronic data and docu- 
ments that can reasonably be anticipated to 
be relevant to litigation. 

2. When balancing the cost, burden and need 
for electronic data and documents, courts and 
parties should apply the balancing standard 
embodied in Fed. R. Civ. P. 26(b)(2) and its 
state-law equivalents, which require consider- 
ing the technological feasibility and realistic 
costs of preserving, retrieving, producing and 
reviewing electronic data, as well as the na- 
ture of the litigation and the amount in contro- 
versy. 

3. Parties should confer early in discovery re- 
garding the preservation and production of 
electronic data and documents when these 
matters are at issue in the litigation, and seek 
to agree on the scope of each party's rights 
and responsibilities. 

4. Discovery requests should make as clear 
as possible what electronic documents and 
data are being asked for, while responses and 
objections to discovery should disclose the 
scope and limits of what is being produced. 

5. The obligation to preserve electronic data 
and documents requires reasonable and 
good-faith efforts to retain information that 
may be relevant to pending or threatened liti- 
gation. However, it is unreasonable to expect 
parties to take every conceivable step to pre- 
serve all potentially relevant data. 



6. Responding parties are best situated to 
evaluate the procedures, methodologies and 
technologies appropriate for preserving and 
producing their own electronic data and 
documents. 

7. The requesting party has the burden on a 
motion to compel to show that the responding 
party's steps to preserve and produce rele- 
vant electronic data and documents were in- 
adequate. 

8. The primary source of electronic data and 
documents for production should be active 
data and information purposely stored in a 
manner that anticipates future business use 
and permits efficient searching and retrieval. 
Resort to disaster recovery backup tapes and 
other sources of data and documents requires 
the requesting party to demonstrate need and 
relevance that outweigh the cost, burden and 
disruption of retrieving and processing the 
data from such sources. 

9. Absent a showing of special need and rele- 
vance, a responding party should not be re- 
quired to preserve, review or produce deleted, 
shadowed, fragmented or residual data or 
documents. 

10. A responding party should follow reason- 
able procedures to protect privileges and ob- 
jections to production of electronic data and 
documents. 

11. A responding party may satisfy its good- 
faith obligation to preserve and produce po- 
tentially responsive electronic data and 
documents by using electronic tools and 
processes, such as data sampling, searching 
or the use of selection criteria, to identify data 
most likely to contain responsive information. 

12. Unless it is material to resolving the dis- 
pute, there is no obligation to preserve and 
produce metadata absent agreement of the 
parties or order of the court. 

13. Absent a specific objection, agreement of 
the parties or order of the court, the reason- 
able costs of retrieving and reviewing elec- 
tronic information for production should be 
borne by the responding party, unless the in- 
formation sought is not reasonably available 
to the responding party in the ordinary course 
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of business. If the data or formatting of the 
information sought is not reasonably available 
to the responding party in the ordinary course 
of business, then, absent special circum- 
stances, the costs of retrieving and reviewing 
such electronic information should be shifted 
to the requesting party. 

14. Sanctions, including spoliation findings, 
should only be considered by the court if, 
upon a showing of a clear duty to preserve, 
the court finds that there was an intentional or 
reckless failure to preserve and produce rele- 
vant electronic data and that there is a rea- 
sonable probability that the loss of the evi- 
dence has materially prejudiced the adverse 
party. 



Over the last year or so there has been more 
merging of electronic evidence tools with 
computer forensic tools. Where electronic 
evidence tools would search the storage me- 
dia on a computer or network, it generally 
would only look at undeleted or active files. If 
you thought the file you needed had been de- 
leted, then you called in the computer forensic 
person. They would get the deleted files, file 
fragments, and other artifacts left on the com- 
puter storage media. As electronic evidence 
becomes more prevalent in court, vendors are 
beginning to develop more sophisticated tools 
which will become increasingly important as 
companies must now be sure they comply 
with the new Federal laws such as Sarbanes- 
Oxley. 



J. Frank Grindstaff, Jr., (CPA, CISA, CIA, CCE, EnCE) is on the computer forensics team of a Fortune 500 
company. Frank is a past president of the Atlanta Chapter of Information Systems Audit & Control Association 
(ISACA) and is active in several professional organizations including the High Tech Crime Investigation Asso- 
ciation (HTCIA), ISACA, and the Georgia Society of CPA's. Frank can be contacted at www.gsforensics.com. 
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Review: Acunetix Web Vulnerability Scanner 4.0 

By Mark Woodstonc 



Ten years ago I started working for a small San Francisco based startup that 
was offering consulting services for financial institutions. One of my first du- 
ties there was to be a part of a small penetration testing team. 



Back then we had some good pieces of code 
that was helping us to test modem connec- 
tions, file servers and different networking 
equipment. 

At my current job position, my employer often 
sends me to information security conferences 
all over the States. From the lectures I attend 
and companies exhibiting, it is very obvious 
that the current hot trend is web application 
security. 

With a growing number of businesses going 
online, web applications became one of the 
biggest security issues. The types of scanners 
we used back then evolved to another level 
following the latest threats. 

Acunetix Web Vulnerability Scanner is one of 
the rather new products in the evolving web 
application security market. Before I start this 
review, I must give you a disclaimer - because 



of company policy, some of the screenshots 
accompanying the review will be obfuscated 
or even taken from a scan of Acunetix test 
web servers. 

For the purpose of this review I used the latest 
version of Acunetix Web Vulnerability Scanner 
available - 4.0. With an installation file of just 
above 8 MB, the software will take approxi- 
mately 28 MB of space. 

As you can see from the screenshot on the 
following page, a straightforward software GUI 
offers an optimized three-column structure. 
From left to right we have a main set of op- 
tions and tools, scan results and a window 
containing details of a selected vulnerability 
alert. 

The bottom of the screen hosts a real time ac- 
tivity window that shows the progress of the 
scanning process. 
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etix Web Vulnerability Scanner (Enterprise edition) 



File Tools Help 
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Figure 1 . Acunetix Web Vulnerability Scanner main screen. 



There are four different scan types. The de- 
fault one offers a normal procedure where one 
web site gets all the attention. If the user 
wants to scan multiple sites, there is an option 
to select a file that contains the list of URIs. If 
you already used the software's built-in 
crawler module, you can also act upon its re- 
sults. The final scan type offers scanning of a 
range of IP addresses with web servers run- 
ning on ports specified by the user. I mostly 



used the default option for scanning a single 
web site. After choosing this option, user is 
able to use predefined set of scanning profiles 
and to set specific crawling options. If in any 
case the target web server is located behind a 
HTTP authentication window, you will be able 
to fill in your credentials. When you setup the 
initial scan settings, hitting the finish button 
will fire away the scanner. 
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Although the automatic scan finds a huge 
amount of specific information that could re- 
sult in a possibly vulnerable application, the 
"Manual browsing window" that opens during 
the scan is surely a nice touch by the devel- 
opers. In the window, the user can browse the 
site that is being scanned so the software 
crawler can identify the files that are not di- 
rectly accessible or were not discovered by 
the crawling process. This option is especially 
interesting with web sites that use JavaScript 
navigation. 

Time consumption is an important aspect of 
vulnerability scanners. Both on a simple PHP 
based blog, as well as a large multi-user web 
application, Acunetix Web Vulnerability Scan- 
ner was a bit slow. Because of connection dif- 
ferences, there is no point of mentioning spe- 



cific timeframes in which the software was 
able to scan the systems, but the performance 
is directly connected to the complexity of the 
tests. I have set it up to check all the possible 
details on both scanning scenarios, so I ex- 
pected a longer scanning period. 

Acunetix Web Vulnerability Scanner offers its 
users real time reporting. For instance, when 
the software was in the middle of lenghty scan 
of a complex PHP web application scenario, I 
was able to check the issues that were al- 
ready discovered. 

Alert breakdown is done with four colors, each 
of the representing attack severity - red (high), 
orange (medium), blue (low) and green (in- 
formation). 



Scan results 
- [»] Scan Thread 1 
Bi| Alerts (341) 



Status 



+ 
+ 
+ 
+ 
+ 
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@ PHP code injection (3) 
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. r-.ff D, . 
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Server: Apache/1.3.33 (Win32) PHP/4.4.0 
X-Powered-Ey: PHP/4.4.0 
Connection: close 
Content-Type: image/jpeg 

A View HTML response 

[boot loader] tirneout=30 default=rnulti(0)disk(0)rdisk(0) 
partition(l)\WINDOWS [operating systems] rnulti(0)disk 
(0)rdisk(0)partition(l)\WIrTDOWS= ,l Windows Server 
2003, Enterprise" /fastdetect /NoExecute=OptOut 



® Launch the attack with HTTP Editor 
How to fix tliis vulnerability 

Your script should filter metacharacters from user input. 
Welt references 

• Acunetix Directory Traversal Attacks 

• Security Focus - Penetration Testing forWeb Applications 



0 



Figure 3. The scan results. 



The alerts are presented to the user in an 
easy to manage format: vulnerability type -> 
vulnerability item -> description. Under the 
vulnerability description, the most interesting 
thing is to check out attack details. 

For every detected vulnerability, the user can 
see the actual HTTP headers that triggered 



the vulnerability as well as the HTML re- 
sponse given by the tested server. 

Besides this, the software uses an innovative 
approach allowing the user to modify and rep- 
licate the same attack via a built-in HTTP Edi- 
tor module. Within this GUI, users can craft 
specially structured attacks and analyze the 
server response. 
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S Start 3 Encoder too 
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Server 
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X-Powered-By 
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close 
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Figure 4. The HTTP Editor. 



There is a slight bug with the attack launching 
that manifests in vulnerability items that are 
clearly not exploitable. For instance, inside a 
blue alert that says "Broken link", the user can 
try to launch this attack. There is obviously no 



attack related to this, but the software Al 
doesn't understand the difference. I didn't 
come across any other buggy issues with the 
software, so I thought about mentioning this 
one. 



New Vulnerability 
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Figure 5. The vulnerability editor. 



Advanced users will find the "Vulnerability Edi- 
tor" option very interesting. There you can list 
and edit all the vulnerability types and specific 
items that Acunetix uses for scanning. I was 
really satisfied with the way how users can 
create new items by cloning existing vulner- 



ability information. This way, users develop 
custom sets of vulnerability scanning actions 
that would be optimized for their servers, as 
well as manually update sections of the cur- 
rent vulnerabilities. 
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* 

S HTTP Traps 










|J| L_>" iiJ Rule template < Select a rule template from the list below> 


Rule description 


Trap ASP and PHP requests 


Rule type 


[*] Include 


Apply to 


Request headers 


Regular expression 


(?i]"(GET|POST)\s( -)(V.asp|Vphp)[(\?|/|\\).-]?Vs(HTTP/'1.[01]) 




Update... Add... 
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□ [♦] Trap ASP and PHP requests 


j Request headers 


(?ir(GETIP0ST)H1t^.asph.php]I(WI\y."]?\s[... 






1 1 \i\ Trap requests 


Request headers 


(?ir(GETIPOST]As(HTTP/1.[01]] 
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(?if(G E T IPO S T ] Vs. "V?. "\sH T T P/1 . [01 ] 
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(?i]Content-Type: (application/x-wiwi-f orm-urlen. . . 






1 1 [*1 Trap responses 


Response headers 


(?ifHTTPi1.[01T\s.* 






1 1 @ Don't trap images, ess, scripts 
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Request headers 


(?if(G E T IPO S T ]. "\s(H T T P/1 . [01 ]) 
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Response headers 


pifHTTPytPfts.* 
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1 1 ■Jji Remove gzip,deflate enconding 


Request headers 
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1 1 vjr Replace user agent 


Request headers 


(?i]User-Agent:[\s]?["\n]" 


User-Agent: WVS/2.0 




1 1 / Log get variables 
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(?i]"(G E T IPO S T ] Vs. "\?(. ")\sH T T P/1 . [01 ] 


Get vars are : $2 




1 1 J y Log Host string 


Request headers 


(?i]Host:Vs?(r\rVin\r?\n 


Host: $1 




1 1 jj* 1 Log post vars 
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(?i)^P0 S T . "Content-Type: Vs?application/x-www. . . 


Post vars are: $1 




1 1 Log Server string 


Response headers 


(?i]Server:Vs?r\r\nn\r?\n 


Server: $1 




□ / Log URL 


Request headers 


(?if(G E T IPO S T ] Vs(. ")\s[H T T P/1 . [01 ]] 


URL is: $2 
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Response headers 


(?iJ«;-Powered-Ey:\s?(["\r\n]"]V?\n 


X-Powered-By: $1 




OK 


Cancel 



Figure 6. The HTTP sniffer in action. 



Besides HTTP Editor, Acunetix Web Vulner- 
ability Scanner offers a couple of other invalu- 
able tools: 

• With HTTP Sniffer users can create a cus- 
tom set of traps that would be recorded in the 
sniffing period. By the way, by enabling the 
sniffing option, the software starts a proxy on 
port 8080. 

• HTTP Fuzzer is a nice addition that is used 
for crafting specific requests and tracking the 
server's response. The option is especially 
worthy when used with one of the predefined 
number/character generators which append 
their output to the requests. 



• The last tool I actively used inside Acunetix 
WVS is an Authentication Tester, a brute force 
module that can be configured for testing both 
HTTP and HTML form authentication meth- 
ods. 

The verdict 

The bottom line is that Acunetix Web Vulner- 
ability Scanner 4 is a powerful and versatile 
scanner that proves to be an important piece 
of a web application-testing arsenal. 

As always with penetration testing, some 
things must be done manually, but from the 
perspective of an automated web vulnerability 
scanning procedure, you cannot miss with 
Acunetix WVS. 



Mark Woodstone is a security consultant that works for a large Internet Presence Provider (IPP) that serves 
about 4000 clients from 30 countries worldwide. 
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SSH port forwarding: security 
from two perspectives, part two 

By Andrew J. Bennies ton and Uam A. Fishwfek 



Part 1, published in issue 7 of (IN)SECURE, looked at the technicalities of port 
forwarding, covering local, remote and dynamic port forwarding. Part 2 looks 
at the security implications, and makes some recommendations for securing 
port-forwarding solutions on a network. 



Policies and Configuration 

This part of the article looks at firewall policies 
and SSH server configuration issues, in an 
attempt to secure a LAN (Local Area Network) 
whilst still allowing flexible port-forwarding so- 
lutions. At the end of the article is a table of 
port-forwarding related SSH client command- 
line options for quick-reference. 

Firewall Policies For Inbound SSH 

As SSH typically operates on port 22, the in- 
bound filtering on a firewall should be set such 
that it allows packets to port 22 only on sys- 
tems where there is a reason for external us- 
ers to access SSH. For instance, if the com- 
pany server runs SSH to allow roaming users 
to pick up their email on the road, access to 
that service should be allowed through the 
firewall. Access to arbitrary computers, on port 
22, should be denied. This prevents a user 
running an sshd on their own computer with 



standard settings, and connecting in from a 
remote location. 

Of course, the user could run an sshd on a 
different port; 2222 for instance. A well de- 
signed set of firewall rules will block inbound 
connection attempts to any port except those 
specifically allowed, and with destination ad- 
dresses specific to the server machines run- 
ning those services. In addition, if the firewall 
performs network address translation (NAT) 
then the firewall's IP address would be the 
only externally accessible address, and port 
22 on the firewall would be forwarded to the 
internal SSH server. This solution, however, 
does not scale easily for multiple SSH serv- 
ers. 

Using the above policies, inbound SSH con- 
nections can be effectively limited to servers 
which may be locked down for security. Such 
server hardening is the topic of the next sec- 
tion. 
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Internal SSH Server Configuration 

Most SSH servers default to allowing port for- 
warding. Where there is no reasonable use for 
this feature, it should be disabled. This in- 
stantly protects against many of the possible 
circumventions of firewall rules or security 
policies. 

Where port forwarding is required, or useful, 
two options exist to provide some extra secu- 
rity to this system. The first option is to reduce 
the number of users with accounts on this sys- 
tem to only those that need port forwarding 
capabilities. Users who only need shell access 
should be able to use a different sshd, which 
has had port forwarding disabled entirely. Re- 
ducing the number of users with access to the 
system reduces the number of users with the 
capability to subvert the security policy. 



The sshd conf ig keywords AllowTcpForward- 
ing, AllowTcpForwardingForUsers and Al- 

lowTcpForwardingForGroups control TCP for- 
warding, and allow the server administrator to 
specify users and groups for which TCP port 
forwarding is allowed. When using public-key 
authentication, port forwarding may be turned 
off on a per-key basis by using the 

~/ . ssh/authorized_keys file. 

The second option is to put the server with 
port forwarding enabled into a more secure 
zone of the network, a DMZ (demilitarized 
zone), for instance, where there is a second 
firewall protecting the internal network, and 
allowing connections only to services specifi- 
cally allowed. If you need to allow port for- 
warding to one or two well-defined services 
running on your LAN, this may well be a se- 
cure and practical solution (see Figure 1 be- 
low). 



External 
Firewall 



External 
Client 



Internal 
Firewall 



Internal 
SSH Server 



Internal 
Client 



SSH Server 
in DMZ 



In the network example above, an external 
client may access the SSH server in the DMZ, 
with full port forwarding capabilities. The inter- 
nal firewall only allows certain inbound con- 
nections to pass, however, and so the flexibil- 
ity of the port forwarding is limited by the in- 
ternal firewall. This allows secure solutions to 
retain some of the flexibility of port forwarding. 
Other security concerns exist with the use of 
SSH, and it is of course always recommended 
to change the default settings of an SSH 
server to increase the security. The use of 
public-key authentication, and increasing the 
verbosity of the logging (the LogLevei server 
configuration option) are important considera- 
tions in a secure environment. Lowering the 
time an sshd waits for login to complete is also 



useful on secure servers, as Denial of Service 
attacks could flood the server with connection 
requests and resources would be tied up until 
this time has passed and the connection is 
closed. The LoginGraceTime keyword is re- 
sponsible for setting this time period. 

Firewall Policies For Outbound SSH 

In a perfectly secure environment, outbound 
SSH would be disabled entirely; it is not pos- 
sible to guarantee the security of systems you 
do not have direct control over. In many envi- 
ronments, it is sufficient to allow outbound 
SSH only to certain addresses; remote office 
servers and other systems which are consid- 
ered to be secure, and for which access is 
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needed on a daily basis. For all other out- 
bound SSH, one solution is to put an SSH 
server into the DMZ. This server would accept 
connections from only a limited number of us- 
ers, and allow outbound SSH from that sys- 
tem to anywhere on the Internet. In this way, it 
is possible to restrict which users have such 
access in much the same way as discussed 
above for inbound SSH. 

Outbound SSH Client Configuration 

If your SSH client program allows port for- 
warding to be disabled at compile-time, and 



the users have no means of compiling or us- 
ing their own SSH clients, using this feature 
would be a powerful way to restrict user port 
forwarding. You do, however, lose a lot of 
flexibility in this method. An administrator can 
no longer go to a user machine and use the 
same SSH client to perform activities which 
require port forwarding. This loss of flexibility 
is only worth the security gain in a highly se- 
cure environment. In all other cases, compre- 
hensive firewall rules and SSH server configu- 
ration should suffice. 



Option 


Syntax 


Comments 


-L 


-L lport:address:port 


Local forwarding. Listen on Iport and forward to address:port 
via encrypted channel. 


-R 


-L rport:address:port 


Remote forwarding. Listen on remote server on rport and for- 
ward to address:port via encrypted channel. 


-D 


-D port 


Dynamic port forwarding. Listen on local host on port, as a 
SOCKS5 proxy. The data is transmitted over the encrypted 
channel to the remote server, then on to its destination. 


-g 


-g -L lport:address:port 
-g -R rport:address:port 


Gateway ports. Allow systems other than localhost to connect 
into a local or remote forwarded port. 


+g 


+g -L lport:address:port 
+g -R rport:address:port 


No gateway ports. Prevent systems other than localhost from 
connecting into a local or remote forwarded port. 



Keyword 


Value 


Comments 


AllowTcpForwarding 


Yes / No 


Determines whether TCP port forwarding is 
allowed on a server-wide basis. 


AllowTcpForwardingForUsers 


List of allowed users 


Lists the users which are allowed to use TCP 
port forwarding on this server. 


AllowTcpForwardingForGroups 


List of allowed groups 


Lists the groups which are allowed to use 
TCP port forwarding on this server. 


DenyTcpForwardingForUsers 


List of denied users 


Lists the users which are to be denied port 
forwarding access on this server. 


DenyTcpForwardingForGroups 


List of denied groups 


Lists the groups which are to be denied port 
forwarding access on this server. 



Andrew J. Bennieston contributes to leading computer security websites and forums. His writing efforts include 
articles, tutorials and book/software reviews. His skillset includes C/C++, PHP, Python and Linux administra- 
tion. His personal website is located at http://stormhawk.coldblue.net. 

Liam Fishwick is an undergraduate in Physics at the University of Warwick, UK. His computing experience in- 
cludes Linux and Windows administration and he was instrumental in testing the examples used in this article. 



www.insecuremag.com 



32 



"An vtjbrwjiture itttigkt into mobile* security and tk& o^ortunity to speak, to 

key pedp-te, anthut- the industry. 1 * Qj, icsfc, Wbiie Security -2005 ^iS^fy 

mobilefeecurity 

Combating Mobile Security Threats 6* Exploiting 2006' 
the Revenue Generating Potential of Pre-emptive Security Measures 



3rd - 5th October 2006 

Crown e Plaza, St James, London 




Learn from the experience 
of 12 Operator Case Studies 

to inform your mobile 
security strategy. 
SWISSCOM, Switzerland 



YODAFONE, 



T-MOBILE, international 
ORANGE, UK 



o% Germany 



BT, UK 



TELEFONICA MOVUES, Spain 
TE Li A SON ERA, ■ r=r'd 



TMN, Portugal 



MOBILKOM, Austria 



vodacom. South Africa 



Content Provider Presentation 
from Universal Mobile Musk 

M- commerce Case Study 
from RahoBank 



THE WORLD S MOST COMPREHENSIVE MOBILE SECURITY EVENT: 



□Learn from 12 operator presentations to inform your mobile 
security strategic planning 

□ Develop your understanding of how to combat current mobile 
security threats 

□Discover the revenue generating opportunities mobile security 
presents through M -commerce DRM 

□Gain unrivalled insight into Next Generation mobile security 

□Understand the impact of regulation on the mobile security 
business case 

□Network with key figures in the mobile security industry to discuss 
the issues and build strategic partnerships 
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WINDOWS - Eraser 

http://www.net-security.org/software. php?id=1 55 

Eraser is a secure data removal tool for Windows. It completely removes sensitive data from your 
hard drive by overwriting it several times with carefully selected patterns. 

LINUX - strongSwan 

http://www.net-security.org/software. php?id=643 

strongSwan is a complete IPsec and IKEvI implementation for Linux 2.4 and 2.6 kernels. It in- 
teroperates with most other IPsec-based VPN products. 



MAC OS X - Password Gorilla 

http://www.net-security.org/software. php?id=661 

Password Gorilla helps you manage your logins. It stores all your user names and passwords, 
along with login information and other notes, in a securely encrypted file. A single "master pass- 
word" is used to protect the file. 

POCKET PC - eWallet 

http://www.net-security.org/software. php?id=553 

Have your most important personal information backed up for safekeeping, encrypted and 
password-protected for security, but right with you when you want it. Plus, you can enter your in- 
formation on your Windows PC and synchronize it with your handheld. 



If you want your software title included in the HNS Software Database e-mail us at software@net-security.org 
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Security professionals have come to realize that ensuring data security and 
integrity is critical to business continuity and risk mitigation. However, with 
increasing amounts of data flooding our ever more complex networks, the 
risk of stolen or lost - with you unable to prove that it was not stolen - infor- 
mation continues to rise. 



Online merchant networks are particularly at 
risk from both classic computer attacks and 
more insidious fraud. At the same time, the 
more customer data is collected, the more 
dangerous the situation becomes. In response 
to this trend and to prodding from major credit 
card companies, new security measures are 
being implemented by merchants and other 
businesses to protect the data their customers 
trust them with (or don't even know they 
have...). 

Today, all credit card merchants, service pro- 
viders and retailers who process, store and 
transmit cardholder data have a responsibility 
to protect that data and must comply with a 
diverse range of regulations and industry 
mandates as well as a growing list of volun- 
tary "best practices" frameworks. These in- 
clude the venerous Sarbanes-Oxley bill (better 
known as SOX or SarbOx), the Payment Card 
Industry (PCI) data security standard, the 
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Gramm-Leach-Bliley Act of 1999 and even 
HIPAA (healthcare providers take credit cards 
too!). Not complying with the above might re- 
sult in fines, legal exposure, or both, although 
it is widely known that the regulation differ 
wildly in regards to their "teeth." For instance, 
it was reported that nobody was ever fined for 
being out of compliance with HIPAA. 

But this is easier said than done. Immense 
volumes of log data are being generated on 
such payment networks, necessitating more 
efficient ways of managing, storing and 
searching through log data, both reactively - 
after a suspected incident - and proactively - 
in search of potential risks. For example, a 
typical retailer generates hundreds of thou- 
sands of log messages per day amounting to 
many terabytes per year. An online merchant 
can generate upwards of 500,000 log mes- 
sages every day. One of America's largest re- 
tailers has more than 60 terabytes of log data 



on their systems at any given time. At the 
same time, unlike other companies, the re- 
tailed often have no option of not caring for 
logging. 

The importance of effective and efficient log 
data management in payment networks can- 
not be underemphasized. In fact, the result of 
data mismanagement can be devastating. Re- 
tail Ventures Inc., for example, lost personal 
customer information from 1 08 stores in its 
DSW Shoe Warehouse subsidiary, an incident 
that involved 1 .4 million credit cards used to 
make purchases. The lost data consisted of 
account numbers, names, and transaction 
amounts. Similarly, CardSystems was sued in 
a series of class action cases alleging it failed 
to adequately protect the personal information 
of 40 million consumers. At an individual cost 
of $30 per consumer the costs of repairing the 
damage could be as high as $1.2 billion. What 
is interesting is that in a latter case, only a 
smaller number of cards was "confirmed sto- 
len", while the rest were not "confirmed safe," 
since there were no logs to prove that they 
were not. 



Addressing PCI not only protects businesses 
and merchants from cardholder fraud, but also 
satisfies a broader mandate for information 
protection and security. Several retailed stated 
that complying with PCI makes them auto- 
matically compliance with SOX, due to more 
stringent and more specific requirements de- 
scribed in the PCI standard. Additional bene- 
fits include improved operational efficiencies 
through broad compliance (even likely with 
future regulations!), reduced IT administration 
and maintenance costs, reduced IT labor 
costs and greater IT productivity. At the same 
time, some see complying with PCI as another 
compliance burden for companies, especially 
if IT resources are limited and focused on a 
day-to-day grind of "firefighting." To cost- 
effectively and efficiently comply with PCI, 
companies should look at log management 
and intelligence (LMI) solutions to simplify the 
process of collecting, storing and managing 
log data to both satisfy the reporting and 
monitoring requirements, audit log collection 
requirements as well as enable better incident 
response and forensics. 



Addressing PCI not only protects businesses and merchants from cardholder fraud, but also 

satisfies a broader mandate for information protection and security. 



PCI Compliance Combats Fraud and Im- 
proves Security 

In most cases, when a customer clicks the 
"buy" button on a web site, a number of things 
happen on the backend. An application server 
connects to a database, multiple records are 
updated and sometimes a connection to a 
separate payment application is initiated. 

All those activities generate log files in various 
places: on the servers, applications, data- 
bases as well as on network and security in- 
frastructure components. 

At the same time, the attackers know that 
there might be vulnerabilities in these proc- 
esses and technologies that leave data unpro- 
tected. Internal threats such as insider misuse 
are of even greater concern in this case, since 
there are no perimeter defenses stopping 
such attackers. 



According to recent FBI survey, financial fraud 
is the second-largest category of hacking 
events on the Internet today. Similarly, Gartner 
estimates that 20-30% of Global 1000 compa- 
nies suffer losses due to mismanagement of 
private and confidential information. 

The costs to recover from these mistakes 
could reach up to $5-20 million per company, 
as it happened in a few recent cases affecting 
both commercial and government entities. 

PCI Requirements Center on Security and 
Authorized Access 

Complying with PCI, merchants and service 
providers not only meet their obligations to the 
payment system but create a culture of secu- 
rity that benefits everyone, including the top 
executives. 

The security requirements of PCI extend to all 
system components that are connected to the 
cardholder data environment: 
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• Network components: firewalls, switches, 
routers, intrusion prevention and detection 
systems, proxies and content filters, wireless 
access points as well as other network and 
security appliances 

• Servers: web, database, authentication, do- 
main name service (DNS), mail, network time 
protocol (NTP), directory and others 

• Applications: all purchased and custom 
apps, internally and externally facing web ap- 
plications, Intanet applications, etc 

What is even more important is that compa- 
nies must be able to verify and demonstrate 
their compliance status and to do so rapidly, 
whenever an audit takes place. Such proof of 
compliance is a fundamental and critical func- 
tion that identifies and corrects potential pit- 
falls in the network, and ensures that appro- 
priate levels of cardholder information security 
are maintained. 

PCI requirements revolve around the following 
goals: 

• Build and maintain a secure network 

• Protect cardholder data in transit and at rest 

• Maintain a vulnerability management pro- 
gram 

• Implement strong access control measures 
and audit them on a regular basis 

• Continuously monitor networks and systems 

• Maintain an information security policy 

• Maintain audit trails of all of the above activi- 
ties 

Log data plays a central role in meeting sev- 
eral of these goals. Specifically, without log 
data, companies cannot verify and audit ac- 
cess controls, other security safeguards and 
policies or even monitor their networks and 
systems as well as conduct incident response 
activities. 

The PCI specification highlights the necessity 
of log data collection and management for 
meeting the key requirements. For example, 
Requirement 10 specifies that companies 
should "track and monitor all access to net- 
work resources and cardholder data." The re- 
quirement specifies that companies "imple- 
ment automated audit trails to reconstruct 
events for all system components." These 
events include user access, actions taken, in- 
valid logical access attempts, use of identifica- 



tion and authentication mechanisms, initializa- 
tion of audit logs and creation or deletion of 
system-level objects. It also recommends re- 
cording audit trail entries for each event, in- 
cluding user ID, type of event, date and time, 
success or failure, origination of event, and 
the identity of the affected data or component. 

The PCI standard goes on to say that compa- 
nies should "review logs for all system com- 
ponents at least daily," and the review should 
include servers that handle intrusion detec- 
tion, authentication, authorization and ac- 
counting. 

The interesting thing is that, in the mind of 
many retailers, "review logs daily" does not 
mean that a person would be poring through 
the logs every single day. An automated sys- 
tem can do this just as well, and in fact better. 
In case of such "automated review," alerts 
would be generated in case traces of mali- 
cious, suspicious or fraudulent activity are 
seen in logs. At the same time, a human ana- 
lyst might review reports and alerts that high- 
light such activity as needed. 

In addition, PCI specifies that "an audit trail 
should be retained for a period consistent with 
its effective use, as well as legal regulations," 
and that the "audit history usually covers a pe- 
riod of a t least one year, with a minimum of 3 
months available online." Thus there are also 
log data retention (and the corresponding log 
data destruction requirements!) requirements. 

One should not that log data is implicitly pre- 
sent in many other PCI requirements, not only 
the directly relevant Requirement 10. For in- 
stance, just about every claim that is made to 
satisfy the requirements, such as data encryp- 
tion or anti-virus updates, requires log files to 
actually substantiate it. So, even the require- 
ment to "use and regularly update anti-virus 
software" will likely generate requires for log 
data during the audit, since the information is 
present in anti-virus audit logs. 

It is also well-known that failed anti-virus up- 
dates, also reflected in logs, expose the com- 
pany the malware risks, since anti-virus with- 
out the latest signature updates only creates a 
false sense of security and undermine the 
compliance effort. 
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Similarly, the requirement to "establish, docu- 
ment, and distribute security incident re- 
sponse and escalation procedures to ensure 
timely and effective handling of all situations" 
is unthinkable to satisfy without effective col- 
lection and timely review of log data. 

Thus, logs value to PCI program goes much 
beyond Requirement 10. Only through careful 
log data collection and management can 
companies meet the broad requirements of 
PCI. Such detailed log data management re- 
quires embedded intelligence in the log man- 
agement solution to make the data secure, 
accessible and easy to organize and to auto- 



mate many of the required tasks, such as 
monitoring, analysis and retention. 

LMI for PCI Compliance 

A comprehensive LMI solution that can collect, 
aggregate and centrally store all data from 
these network entities is essential to meet the 
goals of the PCI standard. LMI enables satis- 
fying the audit, monitoring, data protection, log 
data collection and retention, identity access 
and change management cited in PCI re- 
quirement documents. 

Let's look at some of the above requirements 
in more detail. 




Data Protection 

To provide the necessary data protection 
measures, companies should implement an 
LMI solution that enables administrators to set 
alerts on and report on all applications, de- 
vices, and systems. 

This enables them to provide evidence that 
infrastructure has been configured properly 
and are misconfigured systems are not provid- 
ing a backdoor for intruders - or a front door 
to insiders through which vital information can 
leak. 

Alerts can provide administrators with early 
warning of misuse and attacks, allowing them 
to isolate and fix the problem before damage 
occurs or data is lost. And, of various data ac- 
cess policies and processes not being fol- 
lowed. 

Crucial to any implementation of LMI is secur- 
ing the log data itself, both at rest and in tran- 
sit. This not only serves to reduce the risk of 
this vital information leaking, but also prevents 
it from being altered or lost thereby reducing 
its relevance, immutability and forensic quality. 
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Identity access and change management 

Access and change management are critical 
to meeting PCI compliance as well as other 
regulations and IT governance frameworks, 
such as ITIL, COBIT or ISO. Strong access 
and change control measures ensure that only 
authorized users can access or take action on 
critical data. 

The PCI standard mandates that companies 
maintain a complete record of access (both 
failed and successful), activity, and configura- 
tion changes for applications, servers and 
network devices. Such log data allows IT to 
set up alerts to unusual or suspicious network 
behavior and provide information to auditors 
with complete and accurate validation of secu- 
rity policy enforcement and segregation of du- 
ties. 

LMI allows administrators to monitor who has 
permission to access or make changes to de- 
vices and applications in the network. It also 
enables administrators to create a complete 
audit trail across devices and protect network 
resources from unauthorized access or modi- 
fications. 



An effective LMI solution will support central- 
ized, automated storage of collected data al- 
lows for faster, more reliable data retrieval 
during an audit or while investigating suspi- 
cious behavior. 

Network and System Monitoring 

PCI compliance necessitates ongoing moni- 
toring of network activity to validate that proc- 
esses and policies for security, change and 
access management, and user validation are 
in place and up to date. 

Logging and monitoring allow for fast problem 
isolation and thorough analysis when some- 
thing goes or is about to go wrong. With the 
automated monitoring capabilities delivered by 
an LMI solution, companies can better miti- 
gate risk and reduce downtime, because they 
can address data critical for problem resolu- 
tion and threat mitigation rapidly, before dam- 
age spreads. Ongoing and automated moni- 
toring gives administrators greater insight into 
the payment network at all times so that un- 
usual user activity, unauthorized access or 
even risky insider behavior can be identi- 
fied—and stopped— immediately. 

Components of an Effective LMI Solution 

To use log data to unleash its full value for 
compliance, operations excellency and secu- 
rity, companies should implement a log man- 
agement solution that provides the following 
critical capabilities: 

• Collection and aggregation 100% of all log 
data from enterprise data sources including 
firewalls, VPN concentrators, web proxies, 
IDS systems, email servers and all of the 
other systems and applications mentioned in 
the PCI standard. 



• Creation of reports that organize the log data 
quickly and automatically, so that administra- 
tors can deliver detailed network activity in- 
formation and proof of compliance to auditors. 

• Setting of alerts based on changes to indi- 
vidual devices, groups of devices or the net- 
work, to minimize network downtime and loss 
of data due to malicious attacks, security 
breeches, insider misuse or performance is- 
sues. 

• Fast data retrieval from securely stored, un- 
altered raw log files. Immutable logs are criti- 
cal in litigation and attestation. 

• Integration with existing network manage- 
ment and security solutions to reduce mainte- 
nance and administration and leverage exist- 
ing architecture. 

• The ability to contextualize log data (compar- 
ing application, network and database logs) 
when undertaking forensics and other opera- 
tional tasks. 

By now the reader should be convinced that it 
is impossible to comply with PCI requirements 
without log data management processes and 
technologies in place. 

Complete log data is needed to prove that se- 
curity, change management, access control 
and other required processes and policies are 
in use, up to date and are being adhered to. In 
addition, when managed well, log data can 
protect companies when legal issues arise; for 
example, when processes and procedures are 
in question or when a discovery process is ini- 
tiated as a part of an ongoing investigation. 

Not only does log data enable compliance, but 
it allows companies to prove that they are im- 
plementing and continuously monitoring the 
processes outlined by the requirements. In 
fact, that is the ONLY way to prove it! 



Dr. Anton Chuvakin, GCIA, GCIH, GCFA (www.chuvakin.org) is a recognized security expert and book author. 
A frequent conference speaker, he also represents the company at various security meetings and standard 
organizations. He is an author of a book "Security Warrior" and a contributor to "Know Your Enemy II", "Infor- 
mation Security Management Handbook" and the "Hacker's Challenge 3". 

Anton also published numerous papers on a broad range of security subjects, such as incident response, in- 
trusion detection, honeypots and log analysis. In his spare time he maintains his security portal 
www.info-secure.org and several blogs. 
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Confidential Notes is a practical 
and easy to use solution that 
instantly provides you with 
a high level of security for 
your mobile data. 



For more information on Confidential Notes 
visit www.pocketpcsecurity.com 
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Microsoft claims that the Windows Mobile operating system is secure enough 
for the enterprise. That's not quite true, since unlike Windows XP, handhelds 
don't have advanced security architecture. For example, Pocket PC has no 
Kerberos authentication, Encrypting Filesystem, or a built-in firewall. In fact, 
even the much-touted Mobile2Mobile "secure" signing process for .DLLs and 
.exes can be bypassed with a simple buffer overflow, thus potentially allowing 
malware to take over your device. 



However, once you understand limitations, 
you can then plan your Windows Mobile 
rollout more carefully. Fortunately, there is a 
great deal of 3rd party security software out 
there. Unfortunately, much of it is completely 
insecure. Sadly, Windows Mobile developers 
have not yet been held up to the same scru- 
tiny as desktop software developers. For in- 
stance, you may think your 'encrypted' or 'se- 
cure' data is safe on a Pocket PC because the 
vendor stated as much, when in reality the 
data is insecure. 

In this paper, we expose some weaknesses in 
3rd-party security software for Pocket PC. 
Note that we are not assigning blame to any 
of the developers; in fact, some of them re- 
sponded quickly and were eager to get feed- 
back and to fix the bugs. On the other hand, 



some were angry, threatening, and even dis- 
missive. For us, it doesn't matter if software 
has bugs. All software has flaws; that's why 
you should always use "layered" security. It is 
the responsiveness of a developer, and their 
willingness to fix the product, that helps us 
define a quality developer. 

This is not an attempt to criticize any vendors. 
We selected the target applications at random 
using the search engines provided by reseller 
websites. We are also not disparaging the 
Windows Mobile platform. In fact, we love it 
and use it every day We simply want to make 
it stronger, and more secure. And by raising 
user awareness, perhaps more people will 
pay more attention to how their data is stored. 
The principle of "security through obscurity" 
has long been a discredit. 
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Background 

According to the 2005 Pointsec Mobile Usage 
Survey, an estimated 22% of PDA owners 
have lost their devices. Combine this with the 
statistic that 81% of those lost devices had no 
protection (e.g. PIN or encryption), and the 
problem just got worse. Yet the same survey 
indicates that 37% of PDAs have sensitive in- 
formation on them, such as passwords, bank 
account information, corporate data and more. 

If you think PDA security isn't a real subject, 
just consider the possibility that there is 
someone out there right now with your name, 
email, phone number, and birth date and more 
stored on a digital device that was just left in a 
taxi cab - not a comforting thought. 

Thankfully, a security conscious person can 
find, download, and install a plethora of soft- 



ware that will help them remain productive, yet 
keep their data secure inside an encrypted file 
in the event the device is lost or stolen. On the 
surface, these programs are an excellent idea. 

Financial information, passwords, credit card 
numbers, and even project files can all be 
locked up and secured. In addition, passwords 
that are entered into the PDA for service ori- 
ented programs (e.g. remote access, email, 
chat, etc.) are protected from prying eyes us- 
ing masking techniques so an attacker can 
learn that information. Unfortunately, as we 
discovered, more often than not the security 
mechanisms are nothing but an illusion at 
worst, or terribly flawed at best. The end result 
is that the user is placing their trust in a bro- 
ken program that is insecure. This paper will 
address many of the issues we found and 
what you can look for when investigating the 
quality of your 'secure' program. 



THERE ARE NUMEROUS WINDOWS MOBILE VENDORS THAT STORE SENSITIVE INFORMA- 
TION IN THE REGISTRY WITH FLAWED ENCRYPTION SCHEMES, OR EVEN IN PLAINTEXT! IF 
THE END USER KNEW ANYONE COULD SEE THIS DATA, WHAT WOULD THEY SAY? 



The Windows Mobile Obfuscation Shell 

Before we examine the details of the flaws, it 
is important to understand the nature of the 
operating system. The reason for this is be- 
cause it is our belief that Windows Mobile plat- 
form creates an environment conducive to 
poorly designed security software. 

In contrast, if there is a problem on the Win- 
dows XP (desktop) operating system, it is 
fairly easy for you to find out what is happen- 
ing. For starters, a Ctrl-Alt-Del will allow you 
access to an informative Windows Task Man- 
ager that provides all sorts of information 
about the programs running on the computer. 
In addition, it is simple to find out what is con- 
figured to run at startup via the 'msconfig' 
command. Next, you can look inside the regis- 
try with 'regedit' or use the command line to 
quickly access and view files. And if this isn't 
enough, there are many free tools available 
that can expose almost anything about the 
operating system to its owner. All in all, thanks 
to certain tools, Windows XP is a fairly open 
operating system. 



Now, what kind of details can you find out on 
the Windows Mobile 5 platform? For starters, 
the Task List only mentions the names of the 
open applications that have graphical inter- 
faces. All others are not listed! How can a user 
find out if there is a hidden program that is 
eating up memory? Is there a way to find out 
what executes when the device is rebooted? 
Not for the average user. 

In fact, the only way a user can examine what 
is occurring behind the scenes is via the Vis- 
ual Studio 2005 program that runs on a desk- 
top system - and only if the PDA is synced up 
to that same system. There are some third 
party programs that give access to some of 
this data, but these are not free or as informa- 
tive as Visual Studio. 

The point is this - average Windows Mobile 
users are relatively blind about what their de- 
vice is doing. As this paper will illustrate, there 
are numerous Windows Mobile vendors that 
store sensitive information in the registry with 
flawed encryption schemes, or even in plain- 
text! If the end user knew anyone could see 
this data, what would they say? 
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History has taught the security community that 
software vendors will not code secure soft- 
ware unless forced to do so by consumers. 
The Pocket PC software market is a prime 
example of this 'law', which is why Airscanner 
performed this research. No more excuses... 

The rest of this paper will be examining many 
different programs and their flaws. As you will 
see, blindly trusting a software vendor to keep 
you data safe is very risky. We hope that our 
research will help convince you to thoroughly 
research a product before relying on it to keep 
you secure. 



encryption methods, thus exposing the origi- 
nal value. In this section we will highlight how 
you can find these passwords, with numerous 
examples to prove the point. 

There are several tools that will assist in your 
registry viewing. The first is the registry viewer 
included with Visual Studio. This program is 
not free, but you can obtain a 120 day trial 
version from Microsoft's website. To augment 
this program, we also used an internal (Airs- 
canner) tool that dumps the entire registry, 
and a free program called PHM Registry Edi- 
tor (phm.lu/Products/PocketPC/RegEdit/). 



Protecting the Passwords 

When you use a program that requires a 
password, you assume it will be kept secure. 
This assumption is dangerous, especially on a 
Windows Mobile device. Typically, third party 
passwords are not encrypted. If they are, then 
it is a fairly simple matter to crack many of the 



Plaintext Passwords 

The first group of examples stores the user 
account information in plaintext right under 
their registry key in the HKLMXSoftware or 
HKCU\Software branch. Figure 1 illustrates 
how a program called Verichat stores your 
user information. 
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Figure 1: VeriChat User/Pass storage 



If you note, both the username and password 
are very simple to read. 

The following is a list of programs that were 
examined and found to have similar issues. 



Some store the information in the registry, and 
others simply keep it hidden in a configuration 
file. 
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• Verichat - Chat program 

o HKCU\Software\PDAapps\VeriChat\client# 

• IM+PPC - Chat program 

o \Program Files\IMPIus\implus.cfg 

• Agile - Chat program 

o \HKCU\Software\AgileMessenger 

• MSN Messenger Force 

• Imov Messenger - Chat program (Enterprise version is encrypted) 

• File Transfer Anywhere - File transfer program 

o \HKLM\Software\TTXN\File Transfer Anywhere 

• NeoFTP - FTP client 

o \Program Files\neoFTP\FTP_Hosts.lst 

• Thunderhawk - Web browser 
o thconfig.txt 

• RemoteKeyboard - PC to PDA keyboard 

o \HKCU\Software\TransCreative\RemoteKeyboard\PassCode 



The above list represents those products that 
do not protect the user information. The key 
thing to realize is if someone was able to gain 
access to a PDA for even a few seconds, the 
listed registry entries could be quickly viewed 
or copied out to an external memory card. 

Password Exposure Bugs 

To help protect against such easy attacks, 
some programs do encrypt the user informa- 
tion. Unfortunately, these protections are 
sometimes flawed, which results in exposed 
account information. This can occur either 
through a software bug, or by implementing a 
weak/flawed proprietary method of encryption. 
The following illustrates a few examples. 

BullGuard Antivirus 

BullGuard is an antivirus program that re- 
quires a valid account to update the virus da- 
tabase. Each time the update occurs, the AV 
software sends the email address and pass- 
word used to register the software via an en- 
crypted channel to their server. This protects 
that information during transmission. Unfortu- 
nately, a weak encryption scheme is used to 
protect that password that is stored on the lo- 
cal device. 

In addition to being able to decrypt existing 
passwords, we discovered that certain pass- 
words are 'shortened' thanks to a flawed en- 
cryption algorithm. Figure 2 illustrates this 
bug. The highlighted data is where the en- 



crypted password of 'ssssssss' should be 
posted. Note that there is nothing between the 
semicolon and the OxOD and OxOA. As you 
can see, the password is basically blank! Un- 
fortunately, this represents just one of many 
such defunct passwords that could be se- 
lected. 

Although not related to password storage, it is 
important to note BullGuard stores its virus 
pattern matching information in a plaintext file 
that lists the virus and its pattern. For exam- 
ple, the following is the entry for the WinCE 
Duts virus. 

WinCE-Duts.A(frk)=04001 be50fe0a0e1 28f01 b 
e508001 be50fe0a0e1 28f01 be53380bde85468 
6973 

The reason this is a bad idea is because a 
malicious program can simply patch the virus 
definition file with an incorrect value, thus en- 
suring it won't be considered a virus. Sec- 
ondly, BullGuard includes an auto delete func- 
tion that could become an attack tool if mali- 
cious program inserted a pattern that matched 
all executable and dll files on the PPC (i.e. 
ReallyBadVirus=4d5a9000). 

Abidia and OAnywhere 

The mobile device is an excellent tool for re- 
motely monitoring services. In the case of 
Abidia and OAnywhere, this service is 
eBay.com and Overstock.com account moni- 
toring. 
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Figure 2: Bullguard Registry Entry 



Once the PDA software is installed and con- 
figured, the application will poll the online auc- 
tion websites for updates on items selling, 
buying, etc. The dangers for this type of pro- 
gram are three fold. First, the user account 
information must be securely stored on the 
device. Second, if the program ever has to 
handle the sensitive data, then it must be able 
to ensure the confidentiality of that information 
during program execution. Third, the program 
must securely transmit the data to the service 
provider. 

In the case of Abidia, the user information is 
stored in an XML file in the program directory. 
Fortunately, the eBay account data is en- 
crypted (e.g. ebaypass="2F6DD0EEDA61 
68A7FE2A3AC47436A8720399FB4797D 
E422E"). After reviewing the encryption 
scheme, we determined that it appeared to be 



secure enough given the time involved to 
crack it. However, during this investigation, we 
discovered that the executable file itself could 
be used to decrypt the password. As previ- 
ously mentioned, if a program stores a pass- 
word it must maintain the confidentiality of the 
data at all times. In the case of Abidia, it was 
fairly simple to follow the execution path and 
hook into the program after it decrypted the 
password, which we then were able to display 
on the PDA's screen. 

Finally, we examined the data communication 
process to ensure the user account informa- 
tion was securely transmitted. We discovered 
that the program interacts with an API inter- 
face on Abidia's servers, which serves as a 
proxy to eBay. The following is an actual cap- 
ture of the plaintext HTTP POST request send 
from our Windows Mobile device. 



POST 

/api/get.php?user=sethfogie&pass=mypassword&serial=&imei=22363230F8403111 
1800%2D0050BFE45CE5&site=US&dbg=y&name=buy HTTP/1 .1 
Host: api.abidia.com 

User-Agent: Abidia-Wireless/2.5.3 (PocketPC; 240x320; WindowsMobile/5.1 .70) 
Accept: text/html 
Content-Language: en-US 
Connection: Close 
Content-Length: 93 

Content-type: application/x-www-form-urlencode 



In case you missed it, take a close look at the 
POST string. Abidia does not encrypt the user 
or password. Since this was all performed 



over a regular HTTP session, anyone in the 
data transmission path (including Abidia) can 
capture the account information. 
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It is dangerous enough to trust a third party 
company with user account information, but 
the fact the username and password are sent 
as plaintext is very insecure; particularly if you 
are using a wireless connection and/or a pub- 
lic hotspot. 

Windows Mobile WEP Key 

The Odyssey client included with the original 
(WM2003) Dell X50v stores the WEP keys as 
an encrypted strings in the registry. When the 
network connection is made to the secure 
network, the driver pulls these values from the 
registry, decrypts them, and then incorporates 
the key into the communication process. 
However, during this process, the driver writes 
the decrypted value back into the registry. The 
problem is not Odyssey's, as that program 
does encrypt the key, but is instead a flaw in 
how all three (Windows Mobile, Dell wireless 
driver, Odyssey) work together. 

The following illustrates: Byte 5 - 9 list my en- 
tered WEP keys for each entry. 
KEY1 =aabbccddee 

"HTCWEPDefaultKeyl "=hex: 

01,00,00,00,aa,bb,cc,dd,ee,8c,f6,36,1d,af,90, 

17,5b,00,f6,36,1d,af,00,00,00... 

After we notified the vendors, this problem has 
been fixed in current versions of Windows 
Mobile and there is a ROM update that will 
correct the problem for the Dell Axim X50v. 

PocketMoney 

According to the website, "PocketMoney is the 
most robust financial management tool for the 
Pocket PC." With it, you can "Store the institu- 
tion, phone, account number, expiration date, 
limit, fee for each account. Now you can even 
password protect your PocketMoney data 
from prying eyes!" 

To keep the information safe, PocketMoney 
requires a user to enter a password before 
opening its data file. An 'encrypted' version of 
the password is stored in the registry at the 
HKLM\SOFTWARE\Handmark\PocketMon- 
ey\Password key. Unfortunately, the password 
is protected via a ROT-N function using the 
following seed value: 



0x21 0x70 0x6d 0x6f 0x6e 0x65 0x79 0x21 => 
NAK p m o n e y NAK. 

In other words, the protection of the password 
(and the financial data) is tied directly to the 
word 'pmoney' (sound familiar?). Despite the 
key selection, a ROT-N scheme is always a 
bad idea because it is trivial to do a pattern 
analysis on the encrypted data and deduce 
the key. 

In this section we looked at several examples 
of how not to protect user account information. 
Unfortunately, this problem is wide spread 
through out Windows Mobile programs. Be 
sure you understand the dangers associated 
with trusting a program to keep your user ac- 
count information secure, and always use 
unique passwords. 

Data Protection Programs 

This next section takes a look at programs 
that implement password protection schemes 
that are meant to keep data secure. Unlike the 
previous section that focused only on user ac- 
count information, this section targets pro- 
grams that were designed to store sensitive 
data such as banking transactions, stock in- 
formation, credit card numbers, and lists of 
passwords. In this case, an attacker would 
have access to a much larger chunk of sensi- 
tive data that the user is assuming is secure. 

Financial Management Programs 

This section addresses a common problem 
that exists in numerous 'secure' programs. Al- 
though some programs obscure the issue, all 
of the following titles can all have their security 
mechanisms bypassed by a small change in 
the registry. Note how some companies try to 
hide this fact by placing the registry key in un- 
usual locations, or by burying the flag inside a 
large registry string. 

It should also be mentioned that a malicious 
user can often just copy the 'protected' data 
file off the target device and onto a device that 
has no protection enabled. Since the data it- 
self is not truly protected, an alternate device 
will be able to open it without the need of a 
password. 
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PocketKeeper 

PocketKeeper is program to manage daily 
out-of-pocket expenses with multiple accounts 
different currencies, intuitive register, custom- 
izable categories, budget, multiple report 
charts, and password protection. It has two 
levels of security - a global level that restricts 
access to the program, and an account level 
that secures each account. 

Upon reviewing the files associated with this 
program, it was discovered that both pass- 
words are stored as plaintext in the .dat files 
of the program directory. Specifically, the 
global password is stored in config.dat and 
each account password is stored in its relative 
account file. 

PocketMoney 

PocketMoney not only uses a weak encryption 
scheme to protect the password (discussed in 
previous section), but the protection scheme 
itself can be easily disabled by setting the fol- 
lowing key in the registry to a 0. 

HKLM\SOFTWARE\Handmark\PocketMon- 
ey\Active Password = 0 

In response to this issue, PocketMoney's ven- 
dor rather alarmingly states, "The password in 
PocketMoney wasn't designed to encrypt data 
or prevent anyone other than a casual 
browser from being able to access the data. I 
suggest the user turn on the Palm's (sic) 



password protection if they want their palm 
(sic) secure." We, the users, beg to differ! 

WebIS Money 

WebIS Money states it includes "...secure 
password protection to your data to safeguard 
it in case your PDA is lost or stolen." Unfortu- 
nately, this protection can be disabled by re- 
moving the following key from the registry. 

HKLM\SOFTWARE\Microsoft\Pim\Outlook\l- 
MAP Folders\H11 

MoneyTracer 

MoneyTracer claims "Encryption of your data 
by your own password." While the password 
option is available, it only authenticates the 
user and does not actually encrypt any of the 
data, as claimed. To disable the 'encryption', 
set the following key to '0'. 

\HKLM\SOFTWARE\Maction\MoneyTracer\bE 
nablePassword = 0 

TinyStocks Stock Manager 

TinyStocks states "Stock Manager can be pro- 
tected with a 4-digit PIN number." This PIN is 
stored as a four byte value within a prefer- 
ences string in the registry. The following lists 
the location and provides a screen shot of the 
key with the password set/unset. 

HKCU\Software\TinyStocks\Stock Manager\ 
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Figure 3: Screenshot of the StockManager registry key 
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When asked about this issue, TinyStocks re- 
plied, "The password protection in Stock Man- 
ager is not meant to be secure but to stop 
casual access to the program. The data itself 
is unencrypted and so it's quite easy to just 
look at it." 

PocketExepense Pro 

PocketExpense Pro creates a .vol file that 
contains all its financial information. Included 
in the file are the settings associated with the 
password option. In this program, all the pref- 
erences are stored in a large hex string in the 
registry. However, it is possible to disable the 
password by changing the hex at 0x7D94 
from 0xF4 to 0xD4. 

Inspiration 

Inspiration is a project management program 
that uses 'built-in security features' to "...keep 
files from accidentally being modified when 
handhelds are shared between multiple us- 
ers." Therefore, it is fair to say that the pass- 
word was never meant to offer any true secu- 
rity. 

However, if an attacker wanted to remove the 
password requirement, they would only have 
to overwrite the encrypted password value 
that is stored in the project header. Specifi- 
cally, bytes 0x95 - 0xA3 need to be set to 
0x20 0x00 0x20 0x00 etc. 

Microsoft Money for Windows Mobile 2006 

MS Money for Windows Mobile 2006 is a fi- 
nancial tracking program that can be used in- 
dependently or with the MS Money application 
that runs on many desktops. 

The program can be configured to require a 
password when it is launched. However, this 
password does not encrypt the data, which 
stored as plaintext in data stores in the Data- 
bases folder. 

The password is stored in the registry at 
HKLM\SOFTWARE\Microsoft\Money2000 
CE\Options\Display in an encrypted format. 
However, the encryption scheme used to pro- 
tect the password from viewers is a weak pro- 
prietary algorithm and can be cracked using 
the following equation: 



(((encrypted byte - A0)/4) * 8) + 24h) - en- 
crypted byte = password byte (all hex calcs) 

Finally, the password requirement can be nul- 
lified by deleting the key from the registry, 
which will cause the program to think the 
password option is not set. 

PasswordXCredit CardXPIM Management Pro- 
grams 

The following programs are used to store sen- 
sitive information, such as password lists, web 
site login information, credit card numbers and 
more. Due to the nature of the data, these 
programs need to be secure. If an attacker 
can access the 'protected' information, they 
will have gained access to a wealth of infor- 
mation. 

As illustrated, the previous financial programs 
do not protect your data. Although most ven- 
dors use security as a selling point, in reality a 
simple registry tweak will allow anyone access 
to this sensitive data. Even the vendors admit 
their software is insecure and recommend al- 
ternative steps to secure the data. 

Password Master 1 .0 - Free version 

Password Master 1 .0 allows you to "Keep all 
your passwords, Credit Card Numbers and 
other details in a single place. Carry your 
money or details virtually everywhere." Ac- 
cording to their website, "Since all the details 
you enter are sensitive data, the Password 
Manager helps you to create a Secure Login 
to the records. You can create a Master 
Password, which will work as your Master key 
for all the virtual locks you know." 

Unfortunately, if someone deletes the follow- 
ing key from the registry, the master key will 
be reset, thus allowing full access to the data. 

\HKEY_CURRENT_USER\Software\Da- 
ta\Password Master\Pref\dt 

This version of the program is free. The ven- 
dor's website provides this tool, but also ad- 
vertises their Password Master 3.5 version 
that requires a payment. We look at this ver- 
sion later in this section. 
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Passman 1.2 

Passman 1 .2 is a password management 
program that can create and store a list of 
passwords. It includes an option for a startup 
password and also provides for '512bit en- 
cryption' of the data. Both protection meas- 
ures can be cracked. 

To bypass the startup password, a malicious 
user only has to set the startpasswdenabled 
registry key to '0'. 

\HKEY_CURRENT_USER\Software\passman 
\preferences\startpasswdenabled. 

However, if the database is encrypted, the ac- 
tual data will still be secure. Unfortunately, the 
password used to encrypt the database is it- 
self not properly protected. The following 
equation will decrypt the password stored in 
the registry, thus giving an attacker full access 
to the database. 

Assume: 

B is byte of password in hex 
P is position of target byte (0-5 for this exam- 
ple) 

B-(25-(3*P)) = Bplaintext 
=>26 23 20 1D 1A 17 = 111111 

The end result is that the password option can 
be disabled, the password can be cracked, 
and the database can be decrypted by an un- 
authorized user. 

Password Master 3.5 

Password Master 3.5 states it will "Keep all 
your passwords, Credit Card Numbers and 
other secured details in a single place. Carry 
your money or details virtually everywhere. 
Now includes a Free Desktop Companion!" In 
other words, it performs much the same func- 
tion as CodeWallet Pro. 

Ironically, like the previous example, Pass- 
word Master 3.5 also does not encrypt its in- 
formation using a unique password. Instead it 
relies on the user provided password to 
authenticate the operator to the file, and then 
decrypts the data using an internal algorithm. 



Therefore, using the same technique outlined 
previously, an attacker only has to obtain the 
secure file and overwrite a few bytes of hex in 
the header to gain access to that file, and the 
'secured' contents within. In this case, the hex 
range is from 0x2A - 0x5B. 

In addition to the overwrite vulnerability, this 
program also was found to have a bug in the 
'hint' feature that enables a user to obtain their 
password if they forget it based on a question/ 
answer. However, if the user never configures 
the hint option, the program will give up the 
password regardless of a correct hint/answer 
combination. While this is a security risk, it is 
based on a software bug - not a broken secu- 
rity model. 

It is important to note that Password Master 
3.5 also includes a desktop companion that 
operates in the exact same way as its mobile 
counterpart. This desktop based program also 
suffers from the header overwrite bug. 

CodeWallet 6.0.5 

CodeWallet is one of the premier programs 
that fall into the category of Secure Informa- 
tion Manager. It will protect your sensitive in- 
formation, including credit cards, passwords, 
etc., in an encrypted file that a user decrypts 
with a password when opening. 

During testing, we initially thought that Code- 
Wallet used the same dysfunctional method of 
'encryption' used by Password Master. How- 
ever, CodeWallet looked into our report and 
commented that the while it was possible to 
open a file, all the data was still encrypted. 

After further research, we found that when a 
Wallet file is created, its encryption is tied to 
the original password used to create the file. If 
the password is changed after this, it will only 
change the authentication requirements, and 
not affect the encryption. 

Unfortunately, the My Sample Wallet included 
with the program comes with a known pass- 
word, which an attacker can use against other 
files based on the Sample Wallet. As a result, 
anyone who used the Sample Wallet as a 
template to build their own secure Wallet is 
vulnerable to the header over write attack. 
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Miscellaneous Information Disclo- 
sure Bugs 

Not all Windows Mobile related security prob- 
lems are related to failed protection schemes. 
This section will outline several other program 
and bugs that were found during the research 
project. 

Remote Keyboard 

From the vendors website, "Remote Keyboard 
is a program that connects PC keyboard and 
mouse to your Pocket PC over ActiveSync 
connection or TCP/IP network." This is a 
handy program for power users who need to 
enter a lot of text into the PDA. 

Once installed, the client on the PC sends out 
UDP packets containing an IP address to port 
23 that are detected by a listener on the PDA. 
Upon detection, the PDA will connect back to 
port 8123 on the specified IP address. At this 
point the PC will query for the correct pass- 
word, which is provided by the PDA applica- 



tion. Finally, the connection is made and the 
user can control the PDA remotely from the 
PC client. 

We discovered a few problems with this pro- 
gram that can expose the password used to 
authenticate the connection as well as capture 
the clipboard contents of the PC. The first is- 
sue was discovered when we created a cus- 
tom UDP packet that contained our "server's" 
IP address and passed it onto the network. 
The Remote Keyboard listener on the PDA 
detected this packet, and immediately tried to 
connect to our computer on port 8123. Upon 
seeing this, we then created a small and sim- 
ple 'server' that emulated the login process. 
As guessed, once the PDA had connected to 
the 'server' and negotiated the connection, it 
sent the 'server' the authentication password. 

Using this captured password, we then tel- 
neted to the PC service running on port 8123 
and discovered that the program dumped the 
entire contents of the clipboard onto the wire 
after a successful login. The following pro- 
vides a screenshot of this bug. 
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Stream Content 
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Figure 4: Remote Keyboard capture 



ActiveSync 3.8 

ActiveSync is 'the' program used to sync a 
Windows Mobile device to a PC. It is the 
most-downloaded Windows Mobile software 
application of all time. Contained in this pro- 
gram are functions used to upload software, 
sync up emails, and much more. Version 4.0 
and above have restricted any form of network 
based synchronization; however, as many us- 



ers rely on this feature for their day to day 
synchronization needs, Microsoft still provides 
AS 3.8 as a download. 

As we discovered in mid-2005, the AS3.8 
service on the PC opens up port 990 on any 
existing interface (i.e. wired, wireless, PPP, 
etc.). This port allows access to the Active- 
Sync service, which can be abused to spawn 
a password box on the PC users screen 



www.insecuremag.com 



50 



(figure 5). If a user enters a value in this dialog 
box, the characters of the password are re- 
turned to the attacker, who can then use this 



data to gain access to the protected PDA or 
create a connection between an attacker's 
PDA and the target PC. 



Password Protected 




This mobile device is password protected. In order to 
connect to the device, you must enter its password. 



Password: 



I - Save password 



OK 



Figure 5: Spoofed spawned password dialog box 



Suggested Fixes 

As this document illustrates, there is a serious 
problem with regard to sensitive information 
and the handheld device. The following pro- 
vides several suggestions as to how you can 
mitigate the risks we discussed. 

Password protect your device 

Windows Mobile comes with a password pro- 
tection feature that will lock the device to un- 
authorized users. There are also third party 
vendors who provide a lock and wipe program 
that incorporates password protection with a 
memory wipe feature if the wrong password is 
used. However, it is important to note that a 
logon will not protect the data on external 
memory cards. 

Encryption 

All sensitive data must be secure using a 
known and proven encryption scheme/ 
program. This is especially important for ex- 
ternal media cards often used in PDA's. It only 
takes a second to remove a card from a PDA. 
We recommend you inquire as to the encryp- 



tion scheme used. Windows Mobile includes a 
MS Crypto API that has so far proven to be 
solid. While there could be others, programs 
that use this API are probably going to be se- 
cure. 

Limit exposure 

Given the statistics, it is recommended that 
PDA users limit the amount and type of data 
found on a device. Store files on different me- 
dia cards, based on their function and only 
carry them with you when they are needed. By 
combine preventative security actions with re- 
active security fail safes (i.e. data wiping 
password programs), you can mitigate the se- 
curity dangers even if the device is lost. 

Use computer security common sense 

The PDA is a hand held computer, and should 
be treated as one: do not download and exe- 
cute untrusted software, use antivirus pro- 
grams to scan/protect your device regularly, 
use a strong password and change it regu- 
larly, and disable unwanted services like Blue- 
tooth. In short, employ the same precautions 
you would apply to your PC usage. 
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Virus attacks have firmly established themselves as the leading IT security 
threat. Not only do they result in financial losses, but they also serve as a ve- 
hicle for many other security threats, such as the theft of confidential informa- 
tion and unauthorized access to sensitive data. The antivirus industry has re- 
sponded by coming up with a number of new approaches to protecting IT in- 
frastructures - to name a few, these include proactive technologies, emer- 
gency updates during outbreaks, significantly more frequent antivirus data- 
base updates, etc. This article will provide more information on the newest 
technologies used by antivirus companies and help users to judge the effec- 
tiveness of these technologies more objectively. In this article, we will focus 
on proactive technologies. 



Virus attacks cause enormous damage and, 
equally important, the number of types of ma- 
licious code is growing at an increasing rate. 
In 2005, growth in the number of malicious 
programs exploded: according to Kaspersky 
Lab, the average number of viruses detected 
monthly reached 6,368 by the end of the year. 
Overall growth for the year reached 117% 
compared with 93% for the previous year. 

Likewise, the nature of the threat itself has 
changed. Malicious programs are not only 
much more numerous, but also significantly 
more dangerous than ever before. The antivi- 
rus industry has responded to the challenge 
with a number of new approaches to antivirus 
protection, including proactive technologies, 



shorter response times to new threats that can 
cause outbreaks, as well as more frequent an- 
tivirus database updates. This article provides 
a detailed analysis of the proactive protection, 
often promoted by vendors as a panacea for 
all existing and even all possible viruses. 

An Introduction to Proactive Technologies 

Contemporary antivirus products use two 
main approaches to detect malicious code - 
signature-based and proactive/heuristic 
analysis. The first method is sufficiently sim- 
ple: objects on the user's computer are com- 
pared to templates (e.g., signatures) of known 
viruses. This technology involves continually 
tracking new malicious programs, and 
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creating their descriptions, which are then in- 
cluded in the signature database. Therefore, 
an antivirus company should have an effective 
service for tracking and analyzing malicious 
code (that is, antivirus lab). The main criteria 
used to evaluate how effectively the signature- 
based approach is implemented include new 
threat response times, frequency of updates 
and detection rates. 

The signature-based method has a number of 
obvious shortcomings. The primary disadvan- 
tage is the delayed response time to new 
threats. There is always a time lag between 
the appearance of a virus and the release of 
its signature. Contemporary viruses are capa- 
ble of infecting millions of computers in a very 
short time. 

Thus, proactive/heuristic methods of virus de- 
tection are becoming increasingly popular. 
The proactive approach does not involve re- 
leasing signatures. Instead, the antivirus pro- 
gram analyzes the code of objects scanned 
and/or the behavior of the applications 
launched and decides whether the software is 
malicious based on a predefined set of rules. 

In principle, this technology can be used to 
detect malicious programs that are as yet un- 
known, which is why many antivirus software 
developers were quick to advertise proactive 
methods as a panacea for the rising wave of 
new malware. However, this is not the case. 
To judge the effectiveness of the proactive 
approach and whether it can be used inde- 
pendently from signature-based methods, one 
must understand the principles upon which 
proactive technologies are based. 

There are several approaches which provide 
proactive protection. We will look at the two 
which are the most popular: heuristic analyz- 
ers and behavior blockers. 

Heuristic Analysis 

A heuristic analyzer (or simply, a heuristic) is a 
program that analyzes the code of an object 
and uses indirect methods of determining 
whether it is malicious. Unlike the signature- 
based method, a heuristic can detect both 
known and unknown viruses (i.e., those cre- 
ated later than the heuristic). 



An analyzer usually begins by scanning the 
code for suspicious attributes (commands) 
characteristic of malicious programs. This 
method is called static analysis. For example, 
many malicious programs search for executa- 
ble programs, open the files found and modify 
them. A heuristic examines an application's 
code and increases its "suspiciousness 
counter" for that application if it encounters a 
suspicious command. If the value of the 
counter after examining the entire code of the 
application exceeds a predefined threshold, 
the object is considered suspicious. 

The advantages of this method include ease 
of implementation and high performance. 
However, the detection rate for new malicious 
code is low, while the false positive rate is 
high. 

Thus, in today's antivirus programs, static 
analysis is used in combination with dynamic 
analysis. The idea behind this combined ap- 
proach is to emulate the execution of an ap- 
plication in a secure virtual environment 
(which is also called an emulation buffer or 
"sandbox") before it actually runs on a user's 
computer. In their marketing materials, ven- 
dors also use another term - "virtual PC emu- 
lation". 

A dynamic heuristic analyzer copies part of an 
application's code into the emulation buffer of 
the antivirus program and uses special "tricks" 
to emulate its execution. If any suspicious ac- 
tions are detected during this "quasi- 
execution", the object is considered malicious 
and its execution on the computer is blocked. 

The dynamic method requires significantly 
more system resources than the static 
method, because analysis based on this 
method involves using a protected virtual envi- 
ronment, with execution of applications on the 
computer delayed according to the amount of 
time required to complete the analysis. At the 
same time, the dynamic method offers much 
higher malware detection rates than the static 
method, with much lower false positive rates. 

The first heuristic analyzers became available 
in antivirus products sufficiently long ago, and 
all antivirus solutions now take advantage of 
more or less advanced heuristics. 
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Behavior Blockers 

A behavior blocker is a program that analyzes 
the behavior of applications executed and 
blocks any dangerous activity. Unlike heuristic 
analyzers, where suspicious actions are 
tracked in emulation mode (dynamic heuris- 
tics), behavior blockers work in real-life condi- 
tions. 

First-generation behavior blockers were not 
very sophisticated. Whenever a potentially 
dangerous action was detected, the user was 
prompted to allow or block the action. Al- 
though this approach worked in many situa- 
tions, "suspicious" actions were sometimes 
performed by legitimate programs (including 
the operating system) and users who didn't 
necessarily understand the process were of- 
ten unable to understand the system's 
prompts. 

New-generation behavior blockers analyze 
sequences of operations rather than individual 
actions. This means that determining whether 
the behavior of applications is dangerous re- 
lies on more sophisticated analysis. This helps 
to significantly reduce the number of situations 
in which the is prompted by the system and 
increases the reliability of malware detection. 



Today's behavior blockers are able to monitor 
a wide range of events in the system. Their 
primary purpose is to control dangerous activ- 
ity - that is, analyze the behavior of all proc- 
esses running in the system and save infor- 
mation about all changes made to the file sys- 
tem and the registry. If an application performs 
dangerous actions, the user is alerted that the 
process is dangerous. The blocker can also 
intercept any attempts to inject code into other 
processes. Moreover, blockers can detect 
rootkits - i.e., programs that conceal the ac- 
cess of malicious code to files, folders and 
registry keys, as well as make programs, sys- 
tem services, drivers and network connections 
invisible to the user. 

Another feature of behavior blockers that is 
particularly worth mentioning is their ability to 
control the integrity of applications and the Mi- 
crosoft Windows system registry. In the latter 
case, a blocker monitors changes made to 
registry keys and can be used to define ac- 
cess rules to them for different applications. 
This makes it possible to roll back changes 
after detecting dangerous activity in the sys- 
tem in order to recover the system and return 
it to its state before infection, even after un- 
known programs have performed malicious 
activity. 



NEW-GENERATION BEHAVIOR BLOCKERS ANALYZE SEQUENCES OF OPERATIONS 
RATHER THAN INDIVIDUAL ACTIONS. THIS MEANS THAT DETERMINING WHETHER THE BE- 
HAVIOR OF APPLICATIONS IS DANGEROUS RELIES ON MORE SOPHISTICATED ANALYSIS. 



Unlike heuristics, which are used in nearly all 
contemporary antivirus programs, behavior 
blockers are much less common. One exam- 
ple of an effective new-generation behavior 
blocker is the Proactive Defence Module in- 
cluded in Kaspersky Lab products. 

The module includes all of the features men- 
tioned above and also, importantly, a conven- 
ient system that informs the user of the dan- 
gers associated with any suspicious actions 
detected. Any behavior blocker requires input 
from the user at some point; so the user must 
be sufficiently competent. In practice, users 
often do not have the knowledge required, 
and information support (in effect, decision- 



making support) is an essential part of any 
contemporary antivirus solution. 

To summarize, a behavior blocker can prevent 
both known and unknown (i.e., written after 
the blocker was developed) viruses from 
spreading, which is an undisputed advantage 
of this approach to protection. 

On the other hand, even the latest generation 
of behavior blockers has an important short- 
coming: actions of some legitimate programs 
can be identified as suspicious. Furthermore, 
user input is required for a final verdict regard- 
ing whether an application is malicious, which 
means that the user needs to be sufficiently 
knowledgeable. 
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Proactive Protection & Software Flaws 

Some antivirus vendors include statements in 
their advertising and marketing materials that 
proactive/heuristic protection is a panacea for 
new threats, which does not require updating 
and therefore is always ready to block attacks, 
even for those viruses that do not as yet exist. 
Moreover, brochures and datasheets often 
apply this not only to threats that use known 
vulnerabilities, but to so-called "zero-day" ex- 
ploits as well. In other words, according to 
these vendors, their proactive technologies 
are capable of blocking even malicious code 
which uses unknown flaws in applications 
(those for which patches are not yet avail- 
able). 

Unfortunately, either the authors of these ma- 
terials are insincere or they don't quite under- 
stand the technology well enough. Specifi- 
cally, combating malicious code is described 
as a fight between virus writers and automatic 
methods (proactive/heuristic). In reality, the 
fight is between people - virus writers versus 
antivirus experts. 

The proactive protection methods described 
above (heuristics and behavior blockers) are 
based on "knowledge" about suspicious ac- 
tions characteristic of malicious programs. 
However, this "knowledge" (i.e., a set of 
behavior-related rules) is input into the pro- 



gram by antivirus experts and is obtained by 
analyzing the behavior of known viruses. 
Thus, proactive technologies are powerless 
against malicious code that uses completely 
new methods for penetrating and infecting 
computer systems, which appeared after the 
rules were developed - this is what zero-day 
threats are all about. Additionally, virus writers 
work hard to find new ways of evading behav- 
ior rules used by existing antivirus systems, 
which in turn significantly reduces the effec- 
tiveness of proactive methods. 

Antivirus developers have no choice but to 
update their set of behavior rules and upgrade 
their heuristics in response to the emergence 
of new threats. These types of updates are 
certainly less frequent than in the case of virus 
signatures (code templates), but still need to 
be performed regularly. As the number of new 
threats increases, the frequency of such up- 
dates will inevitably rise as well. As a result, 
proactive protection will evolve into a variant 
of the signature method, albeit based on "be- 
havior" rather than code patterns. 

By concealing the need to update proactive 
protection from users, some antivirus vendors 
in effect deceive both their corporate and per- 
sonal clients and the press. As a result, the 
public has a somewhat erroneous idea of the 
capabilities of proactive protection. 



BY CONCEALING THE NEED TO UPDATE PROACTIVE PROTECTION FROM USERS, SOME 
ANTIVIRUS VENDORS DECEIVE BOTH THEIR CLIENTS AND THE PRESS. 



Proactive vs. Signature-Based Methods 

Despite their shortcomings, proactive methods 
do detect some threats before the relevant 
signatures are released. An example of this 
can be seen in the response of antivirus solu- 
tions to a worm called 
Email-Worm. Win32. Nyxem.e (Nyxem). 

The Nyxem worm (also known as Blackmal, 
BlackWorm, MyWife, Kama Sutra, Grew and 
CME-24) can penetrate a computer when a 
user opens an email attachment containing 
links to pornographic and erotic sites or a file 
on open network resources. It takes the virus 
very little time to delete information on the 



hard drive. Up to 11 different file formats are 
affected (including Microsoft Word, Excel, 
PowerPoint, Access, Adobe Acrobat). The vi- 
rus overwrites all useful information with a 
meaningless set of characters. Another dis- 
tinctive characteristic of Nyxem is that it only 
becomes active on the third of each month. 

A research group from Magdeburg University 
(AV-Test.org) carried out an independent 
study to assess the time it took different de- 
velopers to respond once Nyxem emerged. It 
turned out that several antivirus products were 
able to detect the worm using proactive tech- 
nologies, i.e. before the signatures were re- 
leased: 
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Proactive detection of Nyxem by behavior blockers 



Kaspersky Internet Security 2006 (Beta 2) 


DETECTED 


Internet Security Systems: Proventia-VPS 


DETECTED 


Panda Software: TruPrevent Personal 


DETECTED 


Proactive detection of Nyxem by heuristics 



eSafe 


Trojan/Worm [101] (suspicious) 


Fortinet 


Suspicious 


McAfee 


W32/Generic.worm !p2p 


Nod32 


NewHeur_PE (probably unknown virus) 


Panda 


Suspicious file 



Overall, eight antivirus products detected 
Nyxem using proactive methods. Does this, 
however, mean that proactive technologies 
can replace the "classical" signature-based 
approach? Certainly not. To be valid, analysis 
of the effectiveness of proactive protection 
should be based on tests involving large virus 
collections, not individual viruses, however 
notorious. 

One of the few widely acknowledged inde- 
pendent researchers who analyze proactive 
methods used by antivirus products on large 
virus collections is Andreas Clementi 
(www.av-comparatives.org). To find out which 



antivirus programs are capable of detecting 
threats that do not as yet exist, solutions can 
be tested on viruses that appeared recently, 
e.g., within the past three months. Naturally, 
antivirus programs are run with signature da- 
tabases released three months ago, so that 
they are confronted with threats that were 
then "unknown" to them. Andreas dementi's 
focus is on the results of this type of testing. 

Based on the results of testing conducted in 
2005, the heuristics used in the Eset, Kasper- 
sky Anti-Virus and Bitdefender solutions were 
the most effective. 
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Figure 1. Proactive (heuristic) detection rates - Source: AV-comparatives.org 
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The test used a collection that included 8,259 
viruses. From the results above, we see that 
the highest detection rate in the test was 
about 70%. This means that each of the solu- 
tions tested missed at least 2,475 viruses, 
hardly an insignificant figure. 



In another test of the effectiveness of heuristic 
analyzers conducted by experts from Magde- 
burg University (AV-Test.org) in March 2006 
for PC World magazine, detection rates 
achieved by leaders of the test did not exceed 
60%. Testing was conducted using one-month 
old and two-month old signatures. 
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Figure 2. Proactive (heuristic) detection rates - Source: PC World, AV-Test.org 



It should be noted that the high detection rates 
demonstrated by heuristic analyzers have a 
downside: their false positive rates are also 
very high. To operate normally, an antivirus 
program should strike a balance between de- 
tection rates and false positive rates. This is 
also true of behavior blockers. 

The results of the analyses conducted by 
AV-comparatives.org and AV-Test.org provide 
a solid illustration of the fact that proactive 
methods alone are incapable of providing the 
necessary detection rates. 

Antivirus vendors are perfectly aware of this 
and, for all their rhetoric on proactive tech- 
nologies, continue to use classical signature- 
based detection methods in their solutions. 
Tellingly, developers of purely proactive solu- 
tions (Finjan, StarForce Safe'n'Sec) must pur- 
chase licenses for "classical" signature-based 
technologies from third parties and to use in 
their products. 



Naturally, signature-based methods have 
shortcomings as well, but so far, the antivirus 
industry has been unable to come up with 
anything capable of replacing this classic ap- 
proach. Consequently, the primary criteria to 
measure the effectiveness of antivirus solu- 
tions will continue to include not only the qual- 
ity of proactive protection, but response time 
to new virus threats (the time it takes to add 
the relevant signature to the database and de- 
liver the update to users) as well. 

On the following page you'll find information 
on average response times demonstrated by 
leading antivirus vendors for major antivirus 
threats during 2005. The Magdeburg Univer- 
sity research group (AV-Test.org) analyzed the 
time it took developers to release updates 
containing the relevant signatures. 

The analysis covered different variants of 16 
worms that were most common in 2005, in- 
cluding Bagle, Bobax, Bropia, Fatso, Kelvir, 
Mydoom, Mytob, Sober and Wurmark. 
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Average response time 


2005 


0 to 2 hours 


Kaspersky Lab 


2 to 4 hours 


BitDefender, Dr. Web, F-Secure, Norman, Sophos 


4 to 6 hours 


AntiVir, Command, Ikarus, Trend Micro 


6 to 8 hours 


F-Prot, Panda Software 


8 to 10 hours 


AVG, Avast, CA eTrust-lnocuLAN, McAfee, VirusBuster 


10 to 12 hours 


Symantec 


18 to 20 hours 


CA eTrust-VET 



Source: Ranking Response Times for Anti-Virus Programs (Andreas Marx of AV-Test.org) 



In summary, a number of important conclu- 
sions can be made from the above. First of all, 
the proactive approach to combating mali- 
cious programs is the antivirus industry's re- 
sponse to the ever-growing stream of new 
malware and increasing rates at which it 
spreads. Existing proactive methods are in- 
deed helpful in combating many new threats, 
but the idea that proactive technologies can 
replace regular updates to antivirus protection 
is a fallacy. In reality, proactive methods re- 
quire updating as much as signature-based 
methods. Existing proactive techniques alone 
can not ensure high malicious program detec- 
tion rates. Furthermore, higher detection rates 
are in this case accompanied by higher false 
positive rates. In this situation, the new threat 
response time remains a solid measure of an- 
tivirus program effectiveness. For optimal an- 
tivirus protection, proactive and signature- 



based methods should be used together, 
given that top detection rates can be achieved 
only by combining these two approaches. The 
figure below shows results of testing con- 
ducted by www.av-comparatives.org to deter- 
mine the overall (signature-based + heuristic) 
malicious program detection levels. It may 
seem that the differences between programs 
that performed well in tests are small. Yet, it 
should be kept in mind that the test was per- 
formed on a collection of over 240,000 viruses 
and a difference of 1 % accounts for about 
2,400 missed viruses. 

Users of antivirus solutions should not place 
too much trust in the information they find in 
vendor marketing materials. Independent tests 
that compare the overall capabilities of prod- 
ucts are best suited to assessing the effec- 
tiveness of available solutions. 
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Oleg Gudilin works at Kaspersky Lab, a leading developer of secure content management solutions that pro- 
tect against viruses, Trojans, worms, spyware, hacker attacks and spam. 
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Introducing the MySQL Sandbox 

By Giuseppe Maxia 



Installing a side instance of MySQL for testing purpose is a task that many 
administrators can perform without breaking a sweat. If you need to do that 
only once in a while, you need just to read the manual carefully, or to have 
some experience in this matter, and the task is accomplished quite easily 



If, however, your skills are below the Guru 
level, even to get this task done just once you 
may find yourself in trouble. And, let's face it, 
even experienced administrators, when they 
need to do this several times, with different 
versions of MySQL, may have trouble doing it 
right. It would be nice to have a tool that takes 
care of the dirty details for you and gets the 
job done quietly, without interfering with exist- 
ing installations, and without side effects. 

Such a tool exists, it's The MySQL Sandbox 
(sourceforge.net/projects/mysql-sandbox/). It 
is a framework for testing features under any 
version of MySQL from 3.23 to 5.1 . Without 
fuss, it will install one server under your home 
directory, and it will provide some useful 
commands to start and stop it, and to use it 
within the sandbox. 

There are many reasons for installing a side 
server. One is testing a potentially dangerous 
application, and you don't want to try it on a 



production server. Another reason is to try dif- 
ferent versions of MySQL on a piece of code 
when hunting a bug. Or you are a consultant, 
your customers are all using different versions 
of the DBMS, and you need to test your pro- 
cedures in an environment that is as close as 
possible to the your clients are using. I don't 
know about you, but in my job I have all the 
above needs, sometimes all at once. 

After having performed the task of installing a 
side instance of MySQL dozens of times, I re- 
alized that I was perhaps wasting too much 
time, especially in terms of responsiveness, 
since I could not answer to emergency prob- 
lems as quickly as I would like. Therefore, I 
forced myself to put together most of my ex- 
pertise into a Perl script, and the MySQL 
Sandbox was born. Now, when I need to test 
something in any version of MySQL from the 
ancient 3.23 to the bleeding edge one in the 
Beta branch, I can do that in a few seconds. 
Literally. 
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With this package you can play with MySQL 
5.x without need of using other computers. 
The server installed in the sandbox use non- 
standard ports and sockets, so that they won't 
interfere with existing MYSQL installations. 

Getting started 

To use MySQL Sandbox you need a few 
things: 

• The Sandbox package itself; 

• Linux or FreeBSD operating system (it may 
work in other *NIX OSs, but has not been 
tested); 

• a binary package of MySQL 3.23 or later; 

• Perl 5.8.1 or later (for installation only); 

• a Bash compatible shell. 



Installation 

To show you the simplest installation, let's as- 
sume that you have already a MySQL binary 
installation, in its default location of /usr/ 

local/mysql. 

Unpack the distribution package in one empty 
directory and run the install script. For exam- 
ple: 

$ ./install. pi 

Now, assuming that johndoe is your user- 
name, (I sincerely hope it is not), you got 
MySQL 5.0 in /usr/iocai/mysqi, and the di- 
rectory from which you are installing is /home/ 

johndoe/install/mysql_sandbox, yOU will be 

greeted by the following confirmation screen: 



The MySQL 5 Sandbox, version 1.4 17-May-2006 
(C) 2006 Giuseppe Maxia, Stardata s.r.l. 



installing with the following 

sandbox_directory 

sandbox_port 

datadir_f rom 

install_version 

basedir 

home_directory 

my_f ile 

opera ting_system_user 

db_user 

db_j?assword 

force 

ve r s ion_a f te r_name 
verbose 

do you agree? ([Y],n) 



parameters : 
= mysql_sandbox5_0 
= 3310 
= archive 
= 5.0 

= /usr/local/mysql 
= /home/ johndoe 

= johndoe 

= data charmer 

= data charmer 

= 0 

= 1 

= 0 



To better understand the options, look at Figure 1 . below - Basic Sandbox directory organization 



local; 



_J /usr 

lo 

I mysql/ 

— /home/ 



(base directory) 



p^j johndoe/ (home directory) 

_J mysqLsandboxSJV (sandbox directory) 

L_ J data/' (data directory) 

J install/ 

I ^ J mysqLsandbox/ (install directory) 
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Putting aside the other options for now, let's 
focus on the directories, basedir is where you 
get the binaries from, i.e., in this case /usr/ 

local /mysql. 

home_directory is your $home, (/home/ 
johndoe). It could be anywhere, but it should 
be a place where you've got all necessary 
writing privileges. Your $home is just a safe as- 
sumption. Under this directory, the installation 
process is going to create the sandbox_di- 



rectory (red colored in the figure) and the 
data directory is just below it. 

If you type Y, or just press ENTER, the instal- 
lation progra will create /home/ johndoe/ 
mysqi_sandbox5_o/, which will contain every- 
thing you need to work with this side instance. 

Just cd to that directory, and use the 
. /start. sh command. You will see the follow- 
ing: 



$ . /start. sh 

/usr /local /mysql ~/mysql_sandbox5_0 
~ /mysql_sandbox5_0 
sandbox server started 
sandbox server started 



Your server is now installed and ready for use. Go ahead and try it out.. 

$ ./use.sh 

Welcome to the MySQL monitor. Commands end with ; or g. 
Your MySQL connection id is 1 to server version: 5.0.22 

Type ' help ; ' or ' h ' for help . Type ' c ' to clear the buffer . 

mysql [localhost] { datacharmer } ( (none) ) > 



After that, you may look around. There is a 
configuration file my. sandbox. cnf, containing 
the starting options for you server. There is a 
using file, containing a reminder of which ver- 
sion and basedir you were using. And there is 



a current_options . conf , containing the op- 
tions used by the installation to create your 
sandbox. Should you need to recreate it, use 
the installation script again with this file as a 
parameter. 



$ cd /install_directory 

$ ./install. pi -f current_options . conf 

When you are done, you may stop the server. 

$ ./stop.sh 



The server will go down quietly. You may 
erase the whole directory if you wish. There 
are some more interesting things that you can 
do. 

Advanced installation 

The above installation was easy. But actually I 
don't recommend installing a sandbox from 

/usr/ local /mysql. 



The reason is that in such a location you in- 
stall the current production release, and if you 
upgrade it, the sandbox will point to a version 
that is different from the one you originally in- 
tended. 

I keep different versions grouped in a direc- 
tory, conveniently named so that they can be 
easily accessed. 
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- J /opt 

t_- 



J mysql/ 




— _ 


3.23.58/ 


— _J 


4.0.26/ 


— _J 


4.1.16/ 


— _ 


5.0.21/ 


— 


5.1.10/ 



- /h« 



(base directory) 



/home/ 

johndoe/ (home directory) 



| mysql_sandbox5_0/ (sandbox directory) 

^ data/ (data directory) 



install/ 

, ' ~J mysqLsandbox/ (install directory) 
Figure 2. Advanced Sandbox directory organization 



Usually I unpack the max package, and re- 
name the unpacked directory to the simple 
version name so 

mysql -max-5 . 0 . 21-linux-i686 . tar . gz be- 

comes 5.0.21 . If I have several packages of 
the same version (it happens when testing the 
source code) I add a letter to the end. 

My side servers organization is something like 
the one shown in Figure 2. 

If you want to get the same organization, just 
download the binary packages for your oper- 



ating system (or compile it if you must) and for 
each version you may need to use, and un- 
pack them in the same directory. Rename 
them appropriately, so that each directory is 
named after a version number, and you are 
ready to install. 

If you want to achieve the same result as in 
the default installation, you should specify 
where the basedir option, so that the installa- 
tion program will create appropriate configura- 
tion files and scripts. 



. /install --basedir=/opt/mysql/5 . 0 . 21 

Should you run this command, though, you will get a different result. 

/home/ johndoe/mysql_sandbox5_0 already exists, 
'--force' option not specified. 
Installation halted 



As a security measure the Sandbox installer But let's take a look at some of the more in- 

will refuse to overwrite existing directories, un- teresting features. The complete list is always 

less you instruct it explicitly to do so with the - available using . /install .pi --help, 
force option. 
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Building the data directory 

By default, the mysqi database comes with 
two users. The datacharmer user has been 
granted all privileges except grant. This user 
can connect from any host. The root user has 
got all privileges, including grant. This user 
can connect only from locainost. 



You can control the creation of the mysql da- 
tabase With the -datadir_from=[ source] . 

The default value for [source] is archive, and 
this will use the packaged mysqi database that 
was just described: 



— datadir_f rom=archive 

Use dir: [name] to import an existing mysqi database: 

--datadir_f rom=dir : /home/ johndoe/my_def ault_mysql_db 

To create the grant tables from scratch, use script: 

- -datadir_f rom=script 



If you change the way your data directory is 
created, you should also modify the username 
and password you want to use. The installer 
will make a grants. mysql file containing the 
commands you should run as root to instanti- 
ate them. In this case, you can start using 
your sandbox by typing: 



$ . /use . sh -u root -p 
Enter password: 

and then pressing enter for an empty pass- 
word. Once inside the client, run source 
grants.mysql, and your users will be created 
with their appropriate passwords. 



Welcome to the MySQL monitor. Commands end with ; or g. 
Your MySQL connection id is 1 to server version: 5.0.22 

Type ' help ; ' or ' h ' for help . Type ' c ' to clear the buffer . 

mysql [localhost] {root} ((none)) > source grants.mysql 



Database changed 

Query OK, 0 rows affected (0.00 sec) 

Query OK, 0 rows affected (0.00 sec) 

Query OK, 0 rows affected (0.01 sec) 

Query OK, 0 rows affected (0.00 sec) 

mysql [localhost] {root} (mysql) > 



After that, you can run the script without additional arguments. 



$ ./use.sh 

Welcome to the MySQL monitor. Commands end with ; or g. 
Your MySQL connection id is 2 to server version: 5.0.22 

Type ' help ; ' or ' h ' for help . Type ' c ' to clear the buffer . 

mysql [localhost] {datacharmer} ( (none) ) > 
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Using the installation wizard 

There are a few more options worth mention- 
ing, but I won't get into detail about them now. 
You would not remember them all (heck, I 
don't remember them, even though I wrote the 
whole thing!). I will mention the only one 
you're going to need if you want to fine tune 



your sandbox installation without memorizing 
too many things. Just run this one: 

./install. pi --interactive 

Then the installation program will turn into a 
wizard (a text-based one, but a wizard none- 
theless) that will guide you step-by-step 
through all the available options. The output 
looks like this: 



~/ install/mysql_sandbox ~/ install/mysql_sandbox/docs 
Enter the values for each option 

To leave the interactive choice and accept default values 
for the remaining options, enter 'default' 
To go to the previous item, enter 'back' 

To quit the installation without any action, enter 'quit' 



home_directory 

The home directory, (default: $HOME (/home/ johndoe) ) 
Your choice: (default value [/home/ johndoe] ) 



sandbox_directory 

Where to install the sandbox, under home-directory 
Your choice: (default value [mysql_sandbox] ) 



sandbox_port 

The port number to use for the sandbox server . 

(Default: 3310) 
Your choice: (default value [3310]) 



Thirteen more options follow (and possibly 
more, depending on how much time has 
elapsed between my writing and your reading 
this piece). For each option, you could either 
press enter, accepting the default value, 
which is shown in brackets, or insert the value 
that is appropriate for your needs. If you have 
already changed what you wanted, and don't 
want to go through the rest of the options list, 
you could enter default, and you leave the 
wizard, accepting default values for the re- 
maining options. 

If you want to cancel the installation, just enter 
quit and the program is terminated without 



performing any action at all. To re-enter the 
previous option, type back. 

Testing recent software on an older ver- 
sion 

Let's say you developed an application, you 
tested it with the current production ready ver- 
sion (5.0), and it works fine. Before releasing 
to the wide public, though, you want to test it 
with earlier versions, to prevent unpleasant 
surprises to your support department. 

Using the Sandbox, the task is easy. For ex- 
ample, to install the latest release from ver- 
sion 4.0, you should enter: 



$ ./install. pi --basedir=/opt/mysql/4 . 0 . 27 

- - sandbox_directory=mysql_sandbox_4_0_2 7 
--install_version=4 . 0 --sandbox_port=4027 
--no ver after name 
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That will create a sandbox directory with a dis- 
tinct name, and a port with the same number 
as the version itself. If that does not sound 
easy, you are right. It's easier than doing it 
manually, but the task can become even eas- 



ier. Starting from Sandbox 1 .5, there is an ad- 
ditional installing program, called 
express_instaii.pi. To accomplish exactly 
the same result, you can enter 



$ ./express install.pl /opt/mysql/4 . 0 . 27 



If you are using /opt/mysqi/ as your binary 
repository, you can even omit the path. The 



express install will generate for you the nec- 
essary options for you. 



$ . /express_install .pi 4.0.27 

Executing ./install. pi --basedir=/opt/mysql/4 . 0 . 27 

--sandbox_directory=mysql_sandbox_4_0_27 
--install_version=4 . 0 
- - sandbox_por t=4 02 7 
--no ver after name 



The MySQL Sandbox, version 1.5 23-May-2006 
(C) 2006 Giuseppe Maxia, Stardata s.r.l. 
installing with the following parameters : 



home_directory 

sandbox_directory 

sandbox_port 

datadir_f rom 

install_version 

basedir 

my_f ile 

opera ting_system_user 

db_user 

db_pas sword 

force 

no_ve r_a f te r_name 
verbose 

do you agree? ([Y],n) 



/home/ johndoe 

mysql_sandbox_4_0_2 7 

4027 

archive 

4.0 

/opt/mysql/4 .0.27 

johndoe 

data charmer 

data charmer 

0 

1 

0 



If you want, you may add some options to 
express_instaii.pi. Everything after the ver- 



sion (or the complete basedir) is passed to 
install.pl. For example: 



$ . /express_install .pi 4.0.27 --interactive 
Executing ./install. pi --basedir=/opt/mysql/4 . 0 . 27 

--sandbox_directory=mysql_sandbox_4_0_27 

--install_version=4 . 0 

--sandbox_port=4027 

--no_ver_af ter_name 

--interactive 

Enter the values for each option 

* To leave the interactive choice and accept default values 

for the remaining options, enter 'default' 

* To go to the previous item, enter 'back' 

* To quit the installation without any action, enter 'quit' 



home_directory 

The home directory, (default: $HOME (/home/ johndoe) ) 
Your choice: (current value [/home/ johndoe] ) quit 
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Using the Sandbox to perform a main plying the following options during to the in- 

MySQL installation stallation program. 



If you want to mimic a normal binary installa- 
tion using the Sandbox, you can do it, by sup- 



home_directory 

sandbox_directory 

sandbox_port 

datadir_f rom 

install_version 

basedir 

my_f ile 

opera ting_system_user 

db_user 

db_pas sword 

force 

no_ver_af ter_name 
verbose 



= /usr/local/ 
= mysql 
= 3306 
= script 
= 5.0 

= /usr/local/mysql 

= large 

= j ohndoe 

= datacharmer 

= datacharmer 

= 1 

= 1 

= 0 



The force option is necessary because it will 
overwrite existing files. Running install. pi 
with the above parameters will get you an in- 
stallation very close to the default one. In ad- 
dition to that, you will have three bash scripts 

(_start.sh_, stop.sh, use.sh), but yOU Can 

also start and stop the server using the normal 

mysql . server SCTipt. 

So why would you do that? Actually, you 
shouldn't. I am showing you how to do it so 
that you would get acquainted with the tool's 
flexibility. The main reason why you shouldn't 
do that is that putting your data under the 
/usr/ directory is seldom a good idea. You 
may use a symbolic link for the data directory, 
but in general you should avoid having your 
data in the same place where you keep your 
applications. 



So the best usage for the Sandbox would be 
to install a new data directory in an appropri- 
ate partition with enough free storage. It will 
save time and you'll get the same result as if 
you'd done it manually. Only neater. 

Creating a sandbox using an existing 
my.cnf with a given version 

When you are testing an existing application, 
or hunting for a bug, it's often important to 
setup a server with a specific my.cnf. 
You know already that the myf iie option will 
accept a {smaiii large i huge} keyword, and it 
will find a sample configuration file from 
$basedir/ support-files. Something that is 
also stated in the help text, but you may over- 
look, is that you can instead supply the full 
path of an existing my.cnf. For example: 



$ ./express install.pl /opt/5.0.21 --my f ile=/opt/mysql/4 . 1 . 19/my . cnf 



The installation program will skip from the 
given installation file those options that are 
indispensable to setup a proper sandbox, and 
will include all remaining options in the final 
my . sandbox . cnf , inserting a comment in the 
file to remind you the origin of such options. 

Troubleshooting 

Nothing is perfect and MySQL Sandbox is no 
exception. There are a couple of things that 
can go wrong. 



a) Sandbox server not started yet 

When you enter . /start. sh, usually you see 
the welcoming message sandbox server 
started, and your are ready to use it. Some- 
times you see a message saying sandbox 
server not started yet. That may be bad news, 
but it may only mean that the server is still 
building the files that are necessary for its 
functioning. For example, if your setup calls 
for a huge InnoDB tablespace, it may take a 
while before the server is up and running. 
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In these cases, have a look at the 
hostname. err file in the data directory. If the 
last message is along the line of "file such and 
such did not exist, new to be created", it 
means that you have to wait a few seconds. 

Look at the data directory, if you see a .pid 
file, everything was fine. If you don't, than 
back to the error log, and try to figure out what 
was wrong. 

b) Character set information not found 

One of the cases that may happen, but only in 
some Linux distributions, is that a old version 
sandbox will complain about something along 
the lines of not finding a file that actually ex- 
ists. 



The message may say: Character set informa- 
tion not found in '/opt/mysql/x.x.xx/share/ 
mysql/english/errmsg. sys' 

You look at 

/opt/mysql/x . x . xx/ share/mysql/english/, 

and indeed the errmsg.sys file is there. I think 
it's a bug, but since it only happens in older 
versions, and only in Debian distributions, I 
will let it at that. The workaround that I found 
needs a root intervention. You need to set a 
symbolic link between your basedir and /usr/ 
locai/mysqi. After that, the server will start. 

I never had this problem on a non-Debian sys- 
tem. 



Giuseppe Maxia is a systems analyst and database designer with 20 years of IT experience. He deals with 
data analysis and migration, performance optimization, general wizardry and is the founding partner and CTO 
of Stardata s.r.L Giuseppe has spoken at several Open Source conferences (MySQL UC 2003, 2004, 
OSDBCon 2005, Linux Expo, Webbit and more), in his home country and abroad. He is a well known contribu- 
tor to PerlMonks and several mailing lists on MySQL and databases. You can find out more about him at 
www.datacharmer.org 



This book discusses the history of 
computer forensics, along with 
policies and standard operating 
procedures and legai considerations, 
and how to locate a qualified 
computer forensics specialist. 

This book is ideal for those needing 
an extensive overview of computer 
forensics, and for readers who are 
intrigued by the subject of computer 
forensics in our highly technical world. 

Get it at Amazon .com and 
many other fine stores. 



PRACTICAL GUIDE TO 



COMPUTER 
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How to keep sensitive data locked down across applications, databases, and 
files, including ETL data loading tools, FTP processes and EDI data transfers. 



Many consider the insider threat to represent 
the greatest vulnerability and exposure to en- 
terprise resources. Database attacks are on 
the rise even as the risks of data breaches are 
increasing. Several industries must deal with 
legislation and regulation on data privacy. 

This article will review how to protect sensitive 
data wherever the data resides: at application- 
level; within databases, files and operating 
systems; and in storage. We will address the 
management of associated encryption keys, 
access control and reporting - helping organi- 
zations mitigate risk and reduce costs, while 
protecting consumer, employee and partner 
information. The approach safeguards infor- 
mation by cryptographic protection from point- 
of-creation to point-of-deletion, to keep sensi- 
tive data locked down across applications, da- 
tabases, and files - including ETL data loading 
tools, FTP processes and EDI data transfers. 
This design principle optimizes placement of 



functions for encryption and security enforce- 
ment among the modules of a distributed 
computer system. 

The guiding concept, continuous protection of 
data, suggests that encryption functions 
placed at low levels, and typically imple- 
mented with native platform-based toolkits, 
may be redundant and of little value when 
compared with the cost of supporting them at 
that low level. The principle suggests that En- 
terprise levels of Data Protection and Key 
Management may be cost effective in many 
configurations. We also include a set of best 
practices that ensure not only a successful 
PCI audit, but a sustained improvement in the 
security and protection of sensitive data, and 
the limiting of theft and its costly aftermath. 

Whether you decide to implement encryption 
inside or outside the data store, we recom- 
mend that: 
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• encrypted information be stored separately 
from encryption keys, 

• strong authentication should be used to 
identify users before they decrypt sensitive 
information, 

• access to keys should be monitored, audited 
and logged, 

• sensitive data should be encrypted end-to- 
end, while in transit in the application and 
while in storage in enterprise data stores. 

We introduce a system-solution example that 
complies with these requirements and pro- 
vides a cost-effective implementation. 

The business problem 

The business problem of IT security is, how- 
ever, more severe than the technical prob- 
lems. Because current user access control 
solutions involve different components for 
authentication, authorization and administra- 
tion (AAA), a solution can fail at any of these 
components. For example, one required com- 
ponent upgrade may no longer interoperate 
with another component, alienating users, 
leading to lost business, and perhaps, to se- 
curity breaches. The result is that IT manag- 
ers face continual, onerous cycles of devel- 



opment and maintenance. In short, the busi- 
ness problem of IT security is to prioritize that 
which simplifies and enhances the user expe- 
rience, to support revenue and revenue 
growth, while reducing enterprise liability and 
expenditure 

Today's IT security solutions will need to be 
continually updated, however, in ever faster 
cycles, to remain effective - more frequent 
patches, upgrades, support, and perhaps re- 
placement - to provide the same level of value 
tomorrow. To date initiatives have focused on 
data in backup and storage systems. However 
regional and vertical mandates - such as U.S. 
state breach notification laws (e.g., California 
Senate Bill 1386), the European Union Data 
Privacy Directive, Japan's Personal Informa- 
tion Protection Act and the Payment Card In- 
dustry standard - are driving companies to 
take an aggressive stance on protecting data- 
at-rest. Organizations are seeking to avoid the 
financial and brand integrity costs associated 
with compromised data, while positioning 
themselves to take advantage of "safe har- 
bors" which often protect companies from 
penalties if appropriate steps have been taken 
to protect sensitive information. 



The business problem of IT security is more severe 
than the technical problems. | 



Security gaps in enterprise security 

Continual development and maintenance not 
only make IT security more expensive than it 
appears, they also make IT security solutions 
less secure, by increasing the number and the 
potential extent of security gaps that may exist 
at any time. 

In a broad generalization, two types of attacks 
can exploit security gaps: network and data 



attacks. A network attack tries to interfere with 
client and/or server systems in transactions, in 
terms of their communication processes. For 
example, an attack may try to gain or deny 
access, read files, or insert information or 
code that affects communication. 

Data attacks try to tamper with, and/or read, 
data in files or messages, by deleting, chang- 
ing, reading, or inserting false data. 
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Trust, risk and the weakest link 

The conventional risk model used in IT secu- 
rity is that of a linked chain - the system is a 
chain of events, where the weakest link is 
found and made stronger. We should question 
this approach because it fails to solve the 
problem of how to provide a secure IT system, 
even when a recognized weak link is made 
stronger. The strengthening of any link, even if 
made much stronger, would not make the sys- 
tem less vulnerable, and might make the sys- 
tem more vulnerable, because the security of 
the system would still depend on a weakest 
link (which might be the newly "hardened" 
link). Further, such solutions are actually 
based on the illogical presumption that "no 
part will fail at any time" - if a critical part fails, 
the system fails. In short, there is an inevitable 
single point-of-failure - that weakest link. 

Making the link stronger will not make the sin- 
gle point-of-failure go away - at most it may 
shift it. 

The need to know and the segregation of 
duties 

The technical objective of information security 
may be stated as: "avoid unnecessary con- 
centration of information and power; allow 
enough concentration to make a task possible 
to execute." An all-knowing, all-powerful entity 
would be the perfect attacker and could break 
any security measure. This is why we often- 
times talk about "need to know" and "separa- 
tion of powers." We name these principles, 
respectively, information granularity and 
power granularity. 

These concepts mean that information should 
not be provided in its entirety to a single entity. 
This is the reason business information and 
power should be carefully distributed, for ex- 
ample, among local employees, the office 
management, the enterprise management and 
the customer. And, contrary to what many ad- 
vocate for IT security solutions, there should 
be no single point of control in an IT security 
system. This can be the single point of failure 
- no matter how trustworthy a single point of 
control is, its failure or compromise leaves no 
recourse for recovery. 



A comprehensive approach to enterprise 
data protection 

New business models rely on open networks 
with multiple access points to conduct busi- 
ness in real time, driving down costs and im- 
proving response times to revenue generating 
opportunities. By leveraging the ability to 
quickly exchange critical information and im- 
prove their competitive position, enterprises 
are introducing new vulnerabilities that can be 
exploited to gain unauthorized access to sen- 
sitive information. By establishing appropriate 
enterprise architecture key management, with 
encryption at application-, database- and file- 
level, the organization maximizes benefits 
while minimizing potential pitfalls to opera- 
tional processes farther down the line. Each 
type of application and storage method may 
need a different approach to lock down data. 
This paper reviews a practical implementation 
of a transparent approach to keep sensitive 
data locked down, utilizing policy driven en- 
cryption and key management for data-at-rest 
and in-transit across enterprise systems. The 
encryption solution operates at the field, re- 
cord and file levels to suit the operational 
needs for each type of application and data 
storage system. 

The primary vulnerability of the database 
and file level encryption 

The primary vulnerability of database- and file- 
level encryption is that they do not protect 
against application-level attacks - the encryp- 
tion function is solely implemented within the 
DBMS. The application protection solution in- 
stitutes policies and procedures that enable 
software developers to effectively build secu- 
rity into enterprise applications, employing ex- 
ternal filters to block attacks. 

Hackers, crackers, internal attacks and busi- 
ness evolution are facts of life; as a result, se- 
curity threats, leaks and lack of scale will con- 
stantly plague user access control solutions 
based on password lists, access control data- 
bases, and shared secrets. With more users, 
more applications and more revenue depend- 
ing on Web resources, it is more important 
than ever before to provide remote user ac- 
cess while protecting the enterprise's re- 
sources. With multiple administrative domains 
and the need for quick response to market 
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changes, managers often need centralized 
user administration and control delegation to 
be effective. For end-to-end web security, 
consider implementing application-layer en- 
cryption security to protect PINs and other 
sensitive data in communications between 
web browsers and hosts. App-level protection 
ensures sensitive information is protected 



from its point of entry until it is validated or 
used by the target applications. This ad- 
dresses an inherent limitation in most Secure 
Socket Layer (SSL) implementations that ter- 
minate encryption at the web servers and cre- 
ate the potential exposure of clear text in the 
form of sensitive user credentials and busi- 
ness transactions. 



PROTECTING CUSTOMER DATA IS MUCH LESS EXPENSIVE THAN 

DEALING WITH A SECURITY BREACH. 



A framework that includes the following com- 
ponents 

This security solution helps companies protect 
themselves through a framework that includes 
the following components: 

1. Encryption key management: enables or- 
ganizations to manage encryption keys gen- 
erated by disparate enterprise applications 
helping to guarantee the seamless flow of pro- 
tected information, with minimal intrusiveness. 

2. Application protection: institutes policies 
and procedures that enable enterprise soft- 
ware developers to effectively build security 
into applications and use external filters to 
block attacks. 

3. Data protection: helps ensure that data is 
encrypted wherever it resides, including data- 
bases, files/OSs, and in storage, with minimal 
intrusiveness and most granular separation of 
duties. 

According to Gartner, Inc.: "Protecting cus- 
tomer data is much less expensive than deal- 
ing with a security breach in which records are 
exposed and potentially misused." 
Specifically, Gartner estimates that compro- 
mises involving more than 1 million accounts 
will be close to $50 per account. Smaller 
breaches carry significant costs, as well - in 
2002, Gartner estimated that the cost per ac- 
count will be closer to $1 ,500 per account, not 
including market cap fluctuation, when about 
5,000 accounts were compromised. (Source: 
"Data Protection is Less Costly than Data 
Breaches," John Pescatore and Avivah Litan. 
September 16, 2005). 



The challenge to get the parts together 

The challenge is to get the parts together - 
expertise in database encryption, application 
security and file encryption to be applied in the 
integrated solution: 

1 . Protection of sensitive data in any place 
where data reside will include an enterprise 
key management and crypto support (or re- 
mote access to crypto support) on all major 
OS platforms. 

2. Sensitive data should be encrypted end-to- 
end will include an enterprise key manage- 
ment and crypto support (or remote access to 
crypto support) on all major OS platforms. 
Partner solution will extend the support to ad- 
ditional platforms, including mobile devices. 

3. The distribution and protection of encryption 
keys in all different environments is the foun- 
dation for enforcing authentication and non- 
repudiation. The protection of encryption keys 
is linked to the authentication and authoriza- 
tion that supports the non-repudiation of each 
cryptographic operation. Each environment 
presents a unique level to enforce or not en- 
force authentication and non-repudiation, 
based on the support provided by the combi- 
nation of OS and DBMS. 

Consolidation of policy management 

There is a real need, thus, to bring together 
policy, management and implementation con- 
siderations influencing security assurance for 
each particular IT solution. Other security 
principles such as redundancy, diversity, no 
single point of failure, and least-privilege also 
need to be used in defining the specific re- 
quirements for a secure IT system. 
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Such requirements need to be clearly formu- 
lated, decidable and, as much as possible, 
complete. An end-to-end design is important 
to assure effectiveness, because attacks and 
errors are hard to detect and prevent at inter- 
face points. Because there are no paper trails, 
non-repudiation is also essential for Internet 
and IT security systems. Non-repudiation is 
often defined as providing proof that a particu- 
lar act had actually been performed - exam- 
ple, as demonstrated by a trusted time-stamp. 
However, we may view the concept of non- 
repudiation much more strictly - as in prevent- 
ing the effective denial of an act. The first 
definition describes the component quality 
used in the IT system, where a weak compo- 
nent may compromise the whole system. The 
stricter definition focuses on the need to con- 
tinuously evaluate all potential and existing 
threats, verifying any additional security de- 
sign features that might be necessary to miti- 
gate risks stemming from the most likely or 
most damaging threats to the customer envi- 
ronment, and eventual changes in that envi- 
ronment. 

An effective data protection solution 

An effective data protection solution needs to 
deal with an extensive list of security proper- 
ties. A secure IT system must not "pop" like a 
balloon when subjected to an attack, or fail 
silently, leaving no trace of the attack. There 
should be no single point of failure. There 
must be multiple channels of communication 
and correction, even if the channels are not 
100% independent. We intuit an increase in 
reliability by using multiple channels of infor- 
mation. This correlates well with our percep- 
tion of how trust may be defined - we know 
from experience that we trust more when we 
have more evidence to support trust. In an IT 
security system, we define trust as qualified 
reliance on information, based on factors in- 
dependent of that information. More precisely, 
trust is that which is essential to a communi- 
cation channel but cannot be transferred using 
that channel. 

A true end-to-end encryption solution 

To cope with the accelerated risks and obso- 
lescence typical of IT security solutions, en- 
terprises need an End-To-End IT security so- 
lution that can provide shorter, less expensive, 



deployment, development and maintenance 
cycles. The solution should minimize the 
probability of patches, upgrades and support 
during the lifetime of an IT security system. 
The solution also needs to integrate core se- 
curity services and eliminate known or costly 
weak links such as password lists, access 
control databases, shared secrets, and client- 
side PKI. 

What are these core security services, what 
else is required in order to solve both the 
technical and business problems of IT secu- 
rity? We first need to look at the security gaps 
that can be exploited, and what security serv- 
ices are necessary to prevent such breaches. 
Second, we need to realize that it is the com- 
bination, and interoperation, of security prop- 
erties that can provide the resiliency required 
of a secure IT system. An IT security system 
needs to have the equivalent of several inde- 
pendent, active barriers, controlling different 
security aspects but complementing each bar- 
rier's function. Lastly, an IT security solution 
needs to be highly scalable, supporting any- 
where from hundreds to millions or tens of mil- 
lions of users, compatible with the current in- 
frastructure and standards, and extensible. 

Security management must be based on a 
security policy 

Several key elements of a comprehensive se- 
curity policy: 

• Trust - qualified reliance on information, 
based on factors independent of that informa- 
tion 

• Access control - granting access to informa- 
tion objects based on the trusted identity of 
users - limiting access to system resources to 
authorized users, processes or systems - vali- 
dated before decryption of data items is 
authorized 

• Audit and maintenance of historical logs of 
all transactions, reviewed to maintain ac- 
countability for all security relevant events. 
This covers archived data with support for 
adding strong encryption over time. 

• Authentication - corroboration of a credential 
or claim; the ability to establish and verify the 
validity of a user, user device or other entity - 
also, the integrity of the information stored or 
transmitted. This should cover integration with 
LDAP, X.500, i500 product, Active Directory 
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implementation, and other derivations and im- 
plementations of user directories. 

• Authorization - conveyance of rights, power 
or privilege to see, do or be something, includ- 
ing The Open Group, OASIS, and other XML- 
based authorization standard. 

• Confidentiality - ensuring that data is not 
available or disclosed to unauthorized indi- 
viduals, entities or processes, to include sepa- 
ration of duties/power/roles. 

• Integrity - ensuring that data is not altered or 
destroyed in an unauthorized manner. 



• Non-repudiation - the ability to prevent the 
effective denial of an act; the ability to prove 
the origin and delivery of transactions and 
data-at-rest changes. 

• Security management - a defined process to 
perform system security functions such as 
audit, credential management and configura- 
tion management. Security management must 
be based on a security policy - the set of laws, 
rules, and practices that regulate how an en- 
terprise manages, protects, and distributes 
sensitive information. 



Encryption should be implemented to leverage the existing 
high-performance infrastructure and scale, not impede overall performance. 



Centralized administration of security poli- 
cies 

In short, with centralized user administration, 
security policies can remain consistent, easy- 
to-manage and audit. Centralized administra- 
tion of users is, thus, a common operational 
requirement in networked environments. 
However, the need for centralized user ad- 
ministration does not mean the absence of 
delegation. 

Delegated or distributed administration is a 
requirement for medium-size to large enter- 
prises, where administrative domains within 
an organizational unit or divisional lines are 
common. It is unrealistic to have one group 
responsible for administration for the entire 
enterprise. Delegated administration is also 
necessary for B2B/partner e-business models 
(e.g., a partner company administers its own 
employees in a constrained administrative 
domain within your infrastructure). 

Delegated administration is frequently imple- 
mented by means of control delegation, de- 
fined as allowing local sub-domain control 
within a domain. The need for centralized user 
administration also does not mean a need for 
centralized control in the security solution that 
provides it. In fact, we need to avoid the 
seemingly desirable scenario of a single point 
of control, which The Continuously Secure 



Data System recognizes as a single point of 
failure. Thus, to achieve central user admini- 
stration and to provide control delegation, an 
IT security solution should use a distributed, 
highly non-local system, transparent to the 
users of the system. In short, one needs a dis- 
tributed central control system, where different 
authority sub-domains can be activated, sus- 
pended and revoked by a central administra- 
tion. 

Best practice for protecting data-at-rest 

In order to mitigate this increased risk, the use 
of encryption is increasingly being required or 
recommended as a best practice for protect- 
ing data-at-rest. Financial services institutions, 
merchants that accept credit cards, health 
care services enterprises, and government 
agencies that maintain confidential personal 
information are required to consider use of 
encryption to protect their personally identifi- 
able information Pll. System performance 
scalability is critical to meeting the needs of an 
enterprise. Introducing a variable to the infra- 
structure that limits scaling in a predictable 
manner can "bottleneck" the flow of data and 
prevent the organization from achieving fore- 
casted return on its IT investment. 

Encryption should be implemented to leverage 
the existing high-performance infrastructure 
and scale, not impede overall performance. 
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The Continuously Secure Data Protection 
System 

Our vision is that security needs to "own" an 
end-to-end property; otherwise, security 
breaches are possible at security point- 
interfaces, which may allow gaps in protec- 
tion. As it is clear from the previous discus- 



sion, authentication and authorization are not 
sufficient for this end-to-end E2E purpose. 

Providing an E2E-encryption solution for IT 
security and user access control, the Continu- 
ously Secure Data System establishes the 
medium to integrate a number of core capa- 
bilities in IT security solutions including: 



• tamperproof cryptographic credentials 


• no single point of control 


• authentication 


• least privilege 


• authorization 


• data confidentiality 


• centralized user administration 


• data integrity 


• control delegation 


• non-repudiation 


• access control 


• spoof prevention 


• session control 


• immediate suspension as well as revocation of 
credentials 



The Continuously Secure Data System also 
recognizes the need to bind a system of trust 
to IT security solutions, to communicate trust 
not only machine-to- machine, but also 
human-to-machine. We need to provide these 
capabilities in a scalable system, supporting 
hundreds of users, to millions or tens of mil- 
lions, and which is compatible with existing 
infrastructure, current & evolving Internet 
standards, with as much backward compatibil- 
ity as possible. Finally, the Continuously Se- 
cure Data System must take business drivers 
into account - quicker and less expensive de- 
ployment, development and maintenance cy- 
cles; less need for integration with other 
(changing) products; ease-of-use; and close 
back-end to front-end integration so that leg- 
acy systems can be reliably used. 

Policy-driven data protection 

Such data protection solution helps ensure 
that data is encrypted everywhere it may re- 
side, with minimal intrusiveness and maximal 
separation of duties. Application code and da- 
tabase schemas are sensitive to changes in 
data type and data length. Our policy-driven 
solution allows transparent data-level encryp- 
tion that retains data field type or length. Data 
Transformation and Protection DTP can be 
added to reduce the need for changes to data 
structures and applications. The field-level en- 
cryption approach is very useful when dealing 
with EDI/FTP/flat files being transferred be- 
tween discrete systems. At no time is sensitive 



data in an unencrypted state at-rest on any 
system. 

How to encrypt data if a binary format is 
not desirable 

If data is to be managed in binary format, 
"varbinary" can be used as the data type to 
store encrypted information. On the other 
hand, if a binary format is not desirable, the 
encrypted data can be encoded and stored in 
a VARCHAR field. There are size and per- 
formance penalties when using an encoded 
format, but this may be necessary in environ- 
ments that do not interface well with binary 
formats, if support for transparent data-level 
encryption is not used. In environments where 
it is unnecessary to encrypt all data within a 
data store, a solution with granular capabilities 
is ideal. Even if only a small subset of sensi- 
tive information needs to be encrypted, addi- 
tional space will still be required if transparent 
data-level encryption is not used. Secure 
data-level encryption for data-at-rest can be 
based on block ciphers. 

The proposed solution is based on transpar- 
ent data level encryption with Data Type 
Preservation that Does Not Change ASCII 
Data Field Type or length. The solution pro- 
vides a cost effective implementation, avoid- 
ing changes of Millions of Lines of Business 
Code in larger enterprise information systems. 
The solution also provides an effective last 
line of defense: selective column-level data 
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item encryption, cryptographically enforced 
authorization; key management based on 
hardware or software, secure audit and report- 
ing facility, and enforced separation of duties. 
The method is cryptographically strong, works 
with any DBMS and OS, works with different 
character sets, no application or database 
changes, no programming language depend- 
ence, fail safe, requires no DBA intervention. 
Data loader functions normally and queries 
function normally. Enhanced search capabili- 
ties based on partial encryption of data can 
easily be added with this approach. 

The optimal place to encrypt data will al- 
ways depend on the situation 

Give careful consideration to the performance 
impact of implementing a data encryption so- 
lution. First, enterprises must adopt an ap- 
proach to encrypting sensitive fields only. 
Such a solution allows the enforcement mod- 
ule to be installed with the file system, at the 
database table-space level, or at column-level 
to meet different operations needs. It allows 
the encrypt/decrypt of data as the database 
process reads or writes to its database files. 
This enables it to perform cryptographic op- 
erations in file system block segments, in- 
stead of in individual cell, rows or columns. 

Allow optional granularity and implementa- 
tion layers for the data encryption 

Compared to triggers, stored procedures, ex- 
ternal API calls and network round-trips, there 
is very little overhead in some operational 
situations. Furthermore, this solution can de- 
crypt data before it is read into the database's 
cache. Subsequent hits of this data in the 
cache neither incur additional overhead. Nor 
does this architecture diminish database index 
effectiveness. It depends on the situation if 
this exposure will meet your security require- 
ments. 

Encrypt a few very sensitive data elements 

Encryption, by its nature, slows most SQL 
statements. With care, the amount of over- 
head should be minimal. Also, encrypted data 
will have a significant impact on your data- 
base design. In general, it is best to encrypt a 
few very sensitive data elements in a schema, 
like Social security numbers, credit card num- 



bers, patient names, etc. Some data values 
are not good candidates for encryption - i.e., 
Booleans (true and false), or other small sets 
like integers 1-10. These values, and column 
names, may be easy to guess, so you want to 
decide whether encryption is really useful. 
Creating indexes on encrypted data is a good 
idea in some cases. Exact matches and joins 
of encrypted data will use the indexes you 
create. Since encrypted data is essentially bi- 
nary data, range checking of encrypted data 
would require table scans. Range checking 
will require decrypting all the row values for a 
column, so avoid it if it is not tuned appropri- 
ately, with an accelerated search index. 

Searching for encrypted value within a 
column 

Searching for an exact match of an encrypted 
value within a column is possible, provided the 
same initialization vector is used for the entire 
column. On the other hand, searching for par- 
tial matches on encrypted data within a data- 
base can be challenging and may result in full 
table scans if support for accelerated index- 
search on encrypted data is not used. One 
approach to performing partial searches, with- 
out prohibitive performance constraints - and 
without revealing too much sensitive informa- 
tion - is to apply an HMAC to part of the sensi- 
tive data and store it in another column in the 
same row. 

Encrypted columns can be a primary key 

Encrypted columns can be a primary key or 
part of a primary key, since the encryption of a 
piece of data is stable (i.e., it always produces 
the same result), and no two distinct pieces of 
data will produce the same cipher text, pro- 
vided consistent use of the key and initializa- 
tion vector. However, when encrypting entire 
columns of an existing database, depending 
on the data migration method, database ad- 
ministrators might have to drop existing pri- 
mary keys, as well as any other associated 
reference keys, and re-create them after the 
data is encrypted. For this reason, encrypting 
a column that is part of a primary key con- 
straint is not recommended if support for ac- 
celerated index search on encrypted data is 
not used. Since primary keys are automati- 
cally indexed, there are also performance 
considerations, particularly if support for 
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accelerated index-search on encrypted data is 
not used. 

Plan before encrypting information in in- 
dexed fields 

We create indexes to facilitate the search of a 
particular record, or set of records, from a da- 
tabase table. Carefully plan before encrypting 
information in indexed fields. If you do not 
employ accelerated database indexes, look- 
ups and searches in large databases may be 
seriously degraded by the computational 
overhead of decrypting the field contents. 
This can prove frustrating at first because ad- 
ministrators often index fields that must be 
encrypted - Social Security numbers or credit 
card numbers. New planning considerations 
will need to be made when determining what 
fields to index if accelerated database indexes 
are not used. Indexes are created on a spe- 
cific column or a set of columns. When the da- 
tabase table is selected, and WHERE condi- 
tions are provided, the database will typically 
use the indexes to locate the records, avoid- 
ing the need to do a full table scan. In many 
cases, searching on an encrypted column will 
require the database to perform a full table 



scan regardless of whether an index exists. 
For this reason, encrypting a column that is 
part of an index is not recommended, if sup- 
port for accelerated index-search on en- 
crypted data is not used. 

When to use initialization vectors 

When using CBC mode of a block encryption 
algorithm, a randomly generated initialization 
vector is used and must be stored for future 
use when the data is decrypted. Since the IV 
does not need to be kept secret it can be 
stored in the database. If the application re- 
quires having an IV per column, which can be 
necessary to allow for searching within that 
column, the value can be stored in a separate 
table. For a more secure deployment, but with 
limited searching capabilities if support for ac- 
celerated index-search on encrypted data is 
not used, an IV can be generated per row and 
stored with the data. In the case where multi- 
ple columns are encrypted, but the table has 
space limitations, the same IV can be reused 
for each encrypted value in the row, even if 
the encryption keys for each column are dif- 
ferent, provided the encryption algorithm and 
key size are the same. 
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Carefully plan before encrypting information in indexed fields. 



The use of initialization vectors together 
with certain encryption modes 

If you are using AES-CTR Advanced Encryp- 
tion Standard and DTP is functionally equiva- 
lent to a stream cipher; it generates a pseudo- 
random cipher stream that is XORed into 
plaintext to form ciphertext. The cipher stream 
is generated by applying the AES encrypt op- 
eration on a sequence of 128-bit counter 
blocks. Counter blocks, in turn, are generated 
based on record sequence numbers (in the 
case of TLS), or a combination of record se- 
quence and epoch numbers (in the case of 
DTLS.) AES Counter Mode is typically used 
as a Transport Layer Security (TLS) and Da- 



tagram Transport Layer Security (DTLS): It 
should be noted that although the client and 
server use the same sequence number space, 
they use different write keys and counter 
blocks. There is one important constraint on 
the use of counter mode ciphers: for a given 
key, a counter block value MUST never be 
used more than once. This constraint is re- 
quired because a given key and counter block 
value completely specify a portion of the ci- 
pher stream. Hence, a particular counter 
block value when used (with a given key) to 
generate more than one cipher text leaks in- 
formation about the corresponding plaintexts. 
Given this constraint, the challenge then is in 
the design of the counter block. 
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Database file encryption will leave your 
live database in clear 

This solution's policies can selectively encrypt 
individual files and do not require that "the en- 
tire database" be encrypted. Database admin- 
istrators can assign one or more tables to a 
table-space file - policies may then specify 
which table-spaces to encrypt. In this way you 
encrypt only the database tables that have 
sensitive data, and leave the other tables un- 
encrypted. This said, in some situations, some 
customers choose to encrypt all database files 
because there is little performance penalty 
and no additional implementation effort in do- 
ing so. 

Central encryption appliances vs. distrib- 
uted encryption engines 

Network-attached encryption (NAED), as a 
network-attached encryption appliance was 
implemented by my teams at IBM, involving 
work with nCipner, Eracom and Chrysalis 
(SafeNet) starting in 1994. Our research and 
benchmarking is reported here. A NAED is a 
hardware device that resides on the network, 
houses the encryption keys and executes all 
crypto operations. This topology has the 
added security of physically separating the 
keys from the data. However, this added secu- 
rity comes at a heavy price; performance can 
be 10-1000 times less efficient than alterna- 
tive methods. SAN /NAS proxy encryption per- 
forms close to line-speed, but it is less feasi- 
ble from a scalability perspective in a terabyte 
configuration compared to a host based file 
encryption solutions using software. The 
heavy price paid for such network-attached 
encryption? Benchmarks reveal a throughput 
of between 440 and 1 ,100 row-decryptions 
per second. This example debunks the gener- 
ally held myth that NAEDs off-load work from 
the database. Further, a network-attached en- 
gine does not provide high availability, unless 
multiple engines are configured into a high 
availability cluster. 

An off-load of work with the network- 
attached appliance? 

The short answer is "no," there isn't an off- 
load of work since this solution must perform 
one encryption operation in the database, 
which is the same for other topologies, in ad- 



dition to the encryption functions at the NAED. 
When a user requests secured data, the secu- 
rity system manages the process of retrieving 
encrypted data from the database, ensuring 
that the request is from an authorized user, 
and performing the decryption process. In this 
topology, the encryption agent handles the re- 
quest and retrieves the encrypted data from 
the database. It sends the encrypted data 
over the network to be decrypted by the 
NAED. Inside the NAED are the keys and al- 
gorithms to decrypt the data. Once decrypted, 
however, we have clear-text information that 
needs to be sent back over the wire to the da- 
tabase server. This requires that we re-secure 
the information for transit, typically through a 
secure communication process such as SSL. 
When the data arrives at the agent on the da- 
tabase server, it has to be returned to clear- 
text, and then it is served up to the calling ap- 
plication. 

Exposing an encryption appliance will in- 
troduce an additional point of attack. 

An integrated central and distributed solution 
can protect from this vulnerability. Denial-of- 
service attacks are another related concern 
with network-attached engines. Since the en- 
gine is available over TCP/IP, an attacker 
could flood the engine with traffic and block 
legitimate cryptographic requests. If required 
information can't be decrypted, then a cus- 
tomer may not be able to place an order or 
access account information. If the database 
stores encrypted records that are critical for 
business operation, a successful denial-of- 
service attack could have severe conse- 
quences. 

Scalable, centralized life-cycle cycle man- 
agement for encryption keys 

Well-worn though it may be, the saying that 
"the chain is only as strong as its weakest link" 
clearly applies to efforts of organizations to 
secure sensitive data and ensure data privacy. 
Keys are the foundation of all encryption- 
based security solutions. If a hacker, internal 
or external, gains access to your private keys, 
the security of all data formerly protected by 
encryption is gone. Not reduced - gone. That 
is a risk currently assumed by companies that 
store private keys used for data encryption in 
insecure locations whether Web, application, 
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or database servers. These servers are typi- 
cally not secure because there are many peo- 
ple with access to them, the servers are often 
misconfigured, and they often aren't kept up to 
date with the latest security patches. Addition- 
ally keys are usually stored in an easily read- 
able plaintext format. Even organizations that 
make efforts to protect private keys with 
passwords find that these passwords aren't 
protected properly are chosen poorly and 
usually must be shared between multiple ad- 
ministrators. These keys are vulnerable to 



discovery. An intruder who compromises your 
keys can launch "eavesdropping" attacks us- 
ing the stolen key to hack into vital data re- 
positories. This could result in data theft, loss 
of privacy for your employees and customers, 
and damages to brand credibility and cus- 
tomer confidence. Stringent security defenses 
protect each sensitive element of the system - 
each protected by its own unique, randomly 
generated key. Private keys are stored en- 
crypted with several Triple-DES encryption 
keys that are nested. 



AN INTRUDER WHO COMPROMISES YOUR KEYS CAN LAUNCH "EAVESDROPPING" AT- 
TACKS USING THE STOLEN KEY TO HACK INTO VITAL DATA REPOSITORIES. 



Effectively and efficiently manage encryp- 
tion keys 

Our encryption key management solution en- 
ables organizations to effectively and effi- 
ciently manage encryption keys generated by 
disparate enterprise applications, helping to 
guarantee the seamless flow of protected in- 
formation, with minimal intrusiveness. One of 
the primary elements of modern cryptography 
most often recommended by regulations and 
industry standards is the concept of a data 
encryption key. Encryption requires that a key 
be used to initially encrypt a piece of sensitive 
information and is subsequently required to 
decrypt that information when needed by ap- 
plications. Not only is it important to effectively 
protect this key against misuse, it is also im- 
portant to ensure that the key is quickly ac- 
cessible by applications when needed. Tradi- 
tionally, applications that use encryption tech- 
nology have had to handle the management 
of encryption keys on their own - creating a 
host of incompatible solutions. 

The Key Manager is designed to help compa- 
nies alleviate these problems by centralizing 
the life-cycle management of encryption keys 
across their information infrastructure. Key 
Manager works across a wide variety of oper- 
ating platforms and development environ- 
ments to ease integration and ongoing ad- 
ministration of applications that use encryp- 
tion. It is also easily integrated into retail point- 
of-sale terminals, reservation systems, pay- 
ment systems and other applications to pro- 
tect sensitive information such as credit card 



magnetic stripe data and consumer data at 
point of entry. 

Protect at the point of entry and through- 
out the information life-cycle 

The capability to protect at the point of entry 
helps ensure that the information will be both 
properly secured and fully accessible when 
needed at any point in its enterprise informa- 
tion lifecycle. Regulatory compliance and in- 
dustry security standards such as the PCI 
Data Security Standards DSS continue to mo- 
tivate large corporations to develop and adopt 
an encryption strategy for their high-risk data 
stores and applications. Recent high-profile 
security breaches exposing personal identity 
information have made the need for better in- 
formation protection obvious to the public. 
However, effectively implementing an encryp- 
tion strategy has traditionally required applica- 
tion developers and data architects that pos- 
sess a high level of security knowledge. On- 
going administration and management of en- 
cryption technology is also a major concern as 
more applications and data stores require it in 
order to protect data. 

The Key Manager solution provides a secure 
storage of encryption keys. All keys in the key 
vault database are encrypted using a pro- 
tected master encryption key. This multi-layer 
hierarchy of keys ensures the highest level of 
protection against attack with a hierarchy in 
which each key is protected by a parent key. 
Authentication and authorization for system 
administrators is performed using the included 
Access Manager. 
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Access Manager is designed to provide the 
necessary separation of duties and adminis- 
trator roles required for strong security over 
the Key Manager system as well as to meet 
specific PCI standard requirements. 

How to reduce the risk of memory attacks 

Memory attacks may be theoretical, but cryp- 
tographic keys, unlike most other data in a 
computer memory, are random. Looking 
through memory structures for random data is 
very likely to reveal key material. Well made 
libraries for use as Local Encryption Services 
go to great efforts to protect keys even in 
memory. 

Key-encryption keys are used to encrypt the 
key while it is in memory and then the en- 
crypted key is split into several parts and 
spread throughout the memory space. Decoy 
structures might be created that look like valid 
key material. Memory holding the key is 
quickly zeroed as soon as the cryptographic 
operation is finished. These techniques re- 
duce the risk of memory attacks. Separate 
encryption can also be used for different data. 
These encryption keys can be automatically 
rotated based on the sensitivity of the pro- 
tected data. Dedicated Encryption Services 
are also vulnerable to memory attacks. How- 
ever, a well made Dedicated Encryption Serv- 
ice runs only the minimal number of services. 



A WEAK LINK IN THE SECURITY OF 

An optional hardware security module 
when FIPS 140-2 Level 3 is required 

Best practice - taking response time, added 
overhead and path length into account, that 
always occur invoicing a remote hardware 
routine invocations - network-attached encryp- 
tion is to use the HSM for optional key man- 
agement operations. This is the only general 
solution that proves to be scalable in an en- 
terprise environment. The solution includes an 
optional, tamper-resistant hardware security 
module (HSM), including HSM's certified to 
FIPS 140-2 Level 3, the widely accepted 
standard of government-specified best prac- 
tices for network security. Private keys are 
generated and stored in encrypted form within 



Secure key backup 

A weak link in the security of many networks is 
the backup process. Often, private keys and 
certificates are archived along with configura- 
tion data from the backend servers. The 
backup key file may be stored in clear text or 
protected only by an administrative password. 
This password is often chosen poorly and/or 
shared between operators. To take advantage 
of this weak protection mechanism, hackers 
can simply launch a dictionary attack (a series 
of educated guesses based on dictionary 
words) to obtain private keys and associated 
certificates. Private keys should never be ex- 
ported from the product in clear text. The 
backup file should be password protected and 
then encrypted using an internal key. 

When private keys are backed up from the so- 
lution platform, they should be encrypted 
twice, once using an administrative backup 
key and a second time with the internal Re- 
pository key. This type of key management 
makes it impossible for attackers to launch 
dictionary attacks and other password- 
guessing techniques aimed at exposing an 
administrative password and unlocking the 
backup file. Your private keys can never be 
exported in clear text and cannot be released 
without cracking several layers of triple-DES 
encryption, ensuring secure preservation of 
key data in all backup and storage activities. 



MANY NETWORKS IS THE BACKUP PROCESS. 

an HSM. Keys stored in the HSM are pro- 
tected from physical attacks and cannot be 
compromised even by stealing the HSM itself. 
Any attempt to tamper with or probe the card 
will result in the immediate destruction of all 
private key data, making it virtually impossible 
for either external or internal hackers to ac- 
cess this vital information. If we compare the 
response time for a query on unencrypted 
data with the response time for the same 
query over the same data (some or all of it 
encrypted), response time over encrypted 
data will increase due to the cost of decryption 
as well as additional overhead and path length 
that always occur with a remote hardware rou- 
tine invocations (Network-attached encryp- 
tion). On z/OS there are ways to avoid this by 
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using native z/OS silicon implementation of 
encryption algorithms. 

Centralized control of all key management 
operations 

The Key Manager solution provides a central- 
ized administration of all key management 
operations across applications and data 
stores that employ encryption, to help simplify 
the deployment and ongoing administration of 
the overall encryption solution. Key life-cycle 
management includes policy-based key gen- 
eration, retrieval, automated expiration, dis- 
tributed and local caching, central archival and 
restoration, as well as audit logging. 

It also includes robust fail-over and availability 
features to help ensure maximum uptime for 
critical applications that require access to 
keys. The solution the use of standard data- 
base technologies combined with strong secu- 
rity protections. And it eases implementation 
by presenting simple programming interfaces 
for developers, eliminating the need to under- 
stand keys or their management. This reduces 
development time as well as implementation 
risks. 

A secure mechanism for key rotation 

Data privacy solutions should also include an 
automated and secure mechanism for key ro- 
tation, replication, and backup. One easy solu- 
tion is to store the keys in a restricted data- 
base table or file. But, all administrators with 
privileged access could also access these 
keys, decrypt any data within your system and 
then mask their intrusion/attack. 

Database security in such a situation is based 
not on industry best practice, but on an em- 
ployee honor code. If your human resources 
department locks employee records in file 
cabinets where one person is ultimately re- 
sponsible for the keys, shouldn't similar pre- 
cautions be taken to protect this same infor- 
mation in its electronic format? All fields in a 
database and different encryption keys do not 
need the same level of security. 

With tamper-proof hardware and software im- 
plemented, the encryption being provided by 
different encryption processes utilizing at least 
one process key in each of the categories 



master keys, key encryption keys, and data 
encryption keys, the process keys of different 
categories being held in the encryption de- 
vices; wherein the encryption processes are of 
at least two different security levels, where a 
process of a higher security level utilizes the 
tamper-proof hardware device to a higher de- 
gree than a process of a lower security level; 
wherein each data element which is to be pro- 
tected is assigned an attribute indicating the 
level of encryption needed, the encryption 
level corresponding to an encryption process 
of a certain security level. 

With such a system it becomes possible to 
combine the benefits from hardware and soft- 
ware based encryption. The software- 
implemented device could be any data proc- 
essing and storage device, such as a personal 
computer. 

The tamper-proof hardware device provides 
strong encryption without exposing any of the 
keys outside the device, but lacks the per- 
formance needed in some applications. 

On the other hand the software-implemented 
device provides higher performance in execut- 
ing the encryption for short blocks, in most 
implementations, but exposes the keys result- 
ing in a lower level of security. 

Support for PCI Credit card key manage- 
ment requirements 

The solution supports PCI key management 
requirements and helps companies meet 
these guidelines. A robust, open architecture 
leverages proven cryptographic toolkits and is 
built using industry-standard security practices 
and protocols. The product also integrates 
with other security technologies including 
authentication. Many companies facing the 
PCI compliance issue are wondering how they 
can enforce the PCI regulations without sig- 
nificantly increasing staff and IT costs. 

With the potential result of non-compliance 
being severe damage to the financial health 
and the brand reputation of an enterprise, or- 
ganizations want to protect themselves to the 
fullest while minimizing necessary costs. 
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After an initial PCI compliance audit is com- 
pleted, there are a host of initiatives organiza- 
tions should consider in order to stay in front 
of emerging security threats and evolving 
compliance mandates. 

This session offers an overview of the PCI 
mandate, including which organizations are 
affected, which specific rules pertain to en- 
cryption, and an overview of encryption solu- 
tions that help address these mandates. Also 
included is a case study outlining a sample 
deployment, a set of best practices that en- 
sure not only a successful PCI audit, but a 
sustained improvement in the security of sen- 
sitive data that can help mitigate the threats of 
data theft and its costly aftermath. 

Conclusion 

This paper presents experience from many 
years of research and practical use of cryptog- 
raphy for safeguarding information from the 
point of acquisition to the point of deletion. We 
use the key concepts of security dictionary, 
type-transparent cryptography, and propose 
solutions on how to transparently store and 
search encrypted database fields. We showed 



that the hybrid database encryption solution is 
the most successful offering for most applica- 
tion environments. 

This paper presented a design principle that 
helps guide placement of functions for encryp- 
tion and security enforcement among the 
modules of a distributed computer system. 
The principle suggests an enterprise approach 
to data protection. Whether you decide to im- 
plement encryption inside or outside the data 
store, we recommend that encrypted informa- 
tion should be stored separately from encryp- 
tion keys, strong authentication should be 
used to identify users before they decrypt 
sensitive information, access to keys should 
be monitored, audited and logged, sensitive 
data should be encrypted end-to-end, while in 
transit in the application, and while in storage 
in enterprise data stores. 

We present this solution as an example of a 
system that complies with these requirements, 
and provides a cost-effective implementation. 
Sensitive data is never in an unencrypted 
state at-rest on any of the systems, including 
temporary files and tables. 
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Who's guarding your Exchange Server? 



the leading email content 
security & anti-virus solution! 
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